Thursday Apr 21, 2016

Wanted: Outstanding Oracle Security Experts to Speak @OpenWorld 2016

The Oracle OpenWorld 2016 call for proposals is now open. Attendees at the conference are eager to hear from experts on Oracle security and technology. They're looking for insights and improvements they can put to use in their own jobs: exciting innovations, strategies to modernize their business, different or easier ways to implement, unique use cases, lessons learned, the best of best practices.

Oracle OpenWorld in San Francisco

If you've got something special to share with other Oracle Identity Management and Database Security users and technologists, they want to hear from you, and so do we.

Submit your proposal now for this opportunity to present at Oracle OpenWorld, the most important Oracle technology and business conference of the year.

Thursday Mar 24, 2016

RSA Conference 2016: Kevin Mitnick Demonstrates Hacking Techniques with Audience by Zain Rafique

Kevin Mitnick, is a name that is very well known in the Information Security Industry, but even more so known with the FBI. Kevin went by aliases such as The Condor, and The Darkside Hacker before his 1995 run-in with the Federal Government for computer related crimes. He now runs his own security firm named Mitnick Security Consulting LLC, as well as serves as Chief Hacking Officer for a security awareness company called KnowBe4. Kevin has since moved from “The Darkside” to being a world famous white hat hacker, and joined Oracle and Hub City Media at the RSA Conference 2016 to shed insight on current security threats organizations can expect. During a live presentation Kevin used a real life environment to not only capture the audience’s attention, but also capture a brave volunteer’s personal information. Starting with only her First and Last name, Kevin shocked the room by gaining access not only to her date of birth, her valuable social security number, but also her dear mother’s maiden name.

Kevin Mitnick - RSA 2016

What Kevin proved in just minutes within his presentation, is we are not safe. In fact, this was an “eye opening and humbling” experience which shed insight on the dangers that we face without even knowing it. Luckily during the presentation Kevin did not have to continue the assault as a malicious hacker would proceed to order credit cards, gain access to her bank account, destroy her identity and credit score, all the while ordering a new pair of shoes he has been eyeing.

To learn more about what Oracle and Kevin Mitnick are working on together, to help educate consumers and businesses alike, register below to listen to Kevin as he presents a detailed perspective on the risks and what steps individuals and organizations should be taking to better shield themselves from abuse.

Register for Kevin Mitnick Webcast

Friday Feb 19, 2016

Next Generation IDaaS: Moving From Tactical to Strategic by Matt Flynn

First generation Identity as a Service (IDaaS) was a fashion statement that’s on its way out. It was cool while it lasted. And it capitalized on some really important business needs. But it attempted to apply a tactical fix to a strategic problem.

We all know by now that the world has changed. The way we secure information assets today barely resembles the approaches of last decade. When I hear security marketers still talking about ‘erosion of the perimeter’, I cringe. The perimeter is long gone. If employees have access to data, it’s already on their mobile devices and it’s being shared via cloud services. Outsiders are in and insiders are out; that debate is long over. But we’re still in the infancy of solving the bigger problem which is addressing the security needs of next generation businesses.

In the early part of the ongoing Digital Transformation, many organizations found themselves scrambling to react to changing business needs. Adoption of SaaS, cloud services, and mobile devices took off so quickly that IT and Security practitioners (who were often left out of buying decisions) faced difficult challenges with regard to maintaining service levels and enforcing security policies.

A new wave of narrowly focused security solutions quickly emerged to address some of the increasing security concerns facing Digital Businesses. Among them, cloud-based Identity and Access Management (IAM) solutions (often referred to as Identity-as-a-Service or IDaaS) emerged to help bridge the gap between increasingly mobile user populations and cloud-based SaaS applications.

In an effort to react quickly, organizations bought into tactical solutions that were designed to serve only one small segment of their target application set. These first generation IDaaS solutions created silos that typically need to be managed separately from the rest of the organization’s enterprise IAM solutions requiring special knowledge and additional ‘care and feeding’. And, making matters worse, these solutions manage access to SaaS applications separately from other enterprise access. This is the situation many organizations find themselves in today.

As these organizations become more digital and incorporate digital thinking into their core business strategies, it’s time to rethink their reactive tactics and to look at longer term requirements and more stable approaches that enable both quick, responsive action and also solid, predictable performance. It’s time to seek out solutions that address the full set of enterprise needs and to tear down the individual silos that have popped up as stop-gap measures. Reactive solutions do well to stop leaks, but they fall short of addressing long-term needs. There are two trends that are currently changing the way organizations approach security for Digital Business and are already impacting IAM buying decisions.

First, convergence is critical. Security functions are coalescing into fewer solutions that cover more ground with less management overhead. Digital Enterprises want more functionality from fewer solutions. The overabundance of attack surfaces and the widespread confusion about how to prioritize and address the variety of threats has left security practitioners wanting more; more simplification, more intelligence, and more visibility.

Second, the basic role of IAM is shifting from one of defense-and-control to one of enablement. Digital businesses can only succeed if they are agile and able to provide the best possible user experience, free of obstacles. In order to manage risk in a more open environment, organizations seek to leverage context and analytics to enable secure interaction between employees, partners, customers, and data. Increased context reduces the reliance on obstacles and enables a more open and fluid user experience. A singular view of a user across legacy, enterprise, mobile, and cloud applications enables greater visibility and an improved ability to respond to compliance mandates.

The next generation of IAM is engineered specifically for Digital Business providing a holistic approach that operates in multiple modes. It adapts to user demands with full awareness of the value of the resources being accessed and the context in which the user is operating. Moving forward, you won’t need different IAM products to address different user populations (like privileged users or partners) and you won’t stand up siloed IDaaS solutions to address subsets of target applications (like SaaS).

The first generation of cloud-based IAM introduced some key enablers for Digital Business that won’t be lost in next-generation IDaaS solutions. The ability to quickly on-board users and applications is critical. The ability to authenticate users wherever they are, understand context, and facilitate access quickly and easily will continue to be a core function of next-gen IAM. But, IAM buyers can no longer think in terms of IAM silos for subsets of users or subsets of target applications. That approach is unable to answer enterprise-wide questions, to enforce enterprise-wide policies, or to enable enterprise-class governance. It will, in short, leave you wanting more.

Next generation IDaaS builds on all the promises of cloud computing but positions itself strategically as a component of a broader, more holistic IAM strategy. Next-gen IDaaS fully supports the most demanding Digital Business requirements. It’s not a stop-gap and it’s not a fashion statement. It’s an approach enabling a new generation of businesses that will take us all further than we could have imagined. I look forward to enjoying the ride.

Friday Jan 08, 2016

The Digital Passport to Identity - by Greg Jensen

During Christmas, I was amazed at the sheer number of risks I was potentially exposing my family to with each electronic gift.  Would my generosity turn to unwelcomed cyber hack or privacy infringement with the “smart” TV application store and registration process? Or maybe the game console with its online network requiring activation?  Would it be my son’s wearable device with dozens of new applications, each with direct access to his personalized identity and health data?  Unfortunately, it’s all of the above.  At least my daughter didn’t get the Wi-Fi connected doll.

This holiday season was exciting and fearful at the same time, but this issue of identities isn’t limited to consumers, it extends to the enterprise as organizations manage their employees, contractors and partners alike. 

As I type this, I am wrapping up the day, working from my tablet at my son’s hockey practice while sipping coffee from the local coffee stand. All made possible with applications securely available from the cloud, accessible over secure connections from public wireless networks.  The office is no longer contained by four walls of the enterprise.  It can be the local coffee shop, a quiet park, or anywhere that provides a new perspective on ideas and creative thinking.  The walls of the traditional office are gone, and today’s network resembles something like a block of Swiss cheese with porous perimeters. The holes created are for extending content and information in a boundary-less world that favors mobile devices and cloud services. 

Today, identity management platforms resemble more of an enablement platform for the digital business where digital identities represent our passport into this world. It binds us to our cloud-based collaborative applications for sharing ideas and content. It opens up a whole new world of information as partners, customers, and colleagues are taking advantage of digital business to create new products, leapfrog the competition and serendipitously innovate.  Without digital identity, we resort to a high risk posture that needs to verify I am who I say I am, and none of this would be possible.  

This has led many users to social sign-on in order to make things easier during the authentication and authorization process. Digital identity is opening new doors for users young and old and we are really at the beginning.

Looking back 25 years ago, it was common for the average user to have only a few identities to manage.  Today, my tech savvy kids for example have close to 25 identities each, all before the age of 18.  According to researchers at Sophos, the average UK resident has no fewer than 19 passwords and 1 out of 3 are not secure.   

Within this landscape, how does business keep up with the growing rate at that our employees and customers scale?  A small business may only need to manage a handful of employee identities; however, they may have 2 million+ subscribers to their cloud service.  Even small organizations can have a complex identity management challenge. 

This is bringing about increased demands and requirements from customers to be able to have one solution for managing one set of user identities across on-premise applications and cloud services.  With increases in complexity come new business requirements such as support for hybrid-cloud architectures, as well as the ability to deliver in a more open, agile and scalable architecture.  All of this with an eye on helping organizations with being better enabled with the digital transformation needs they will face to remain competitive. 

For more information on how Oracle is addressing the issue of the digital passport and managing identity on-prem and in the cloud, visit us at Oracle.com/OracleIdM or The Economist report “The Economics of Digital Identity” sponsored by Oracle.

Tuesday Nov 17, 2015

The Lifecycle Management Opportunities of a Data Breach (Part 3) - Simeio Solutions

Identity lifecycle management is one of the most critical parts of a security and identity and access management program.  Identifying the assets and setting a baseline for acceptable risk needs to be considered before starting any security lifecycle project and must involve the proper stakeholders.  Let's refer back to our original blog post where we discussed the Ashley Madison breach.  When the company began, they had advertised their service with a commitment to delete customer info upon their request, but as the headline breach revealed, that was not the case.  The hackers were able to expose data related to tens of millions of accounts which suggests some part of the identity lifecycle management process was not properly followed.   The fact that so much data was compromised from the Database could imply that the attack originated there.  Soon after the attack, it was reported that a former contractor for the company may have been one of the responsible parties.

To some degree, we had a perfect storm brewing.  We had a company that was offering a service that some felt was morally unethical.  We had large amounts of sensitive data stored un-encrypted in a Database.  And we appear to have privileged account access given to a contractor, which may not have been revoked upon separation from the organization.   There have also been some additional discoveries made on the end-user accounts as well – such as the fact that many of the customer accounts utilized very basic passwords – one password cracking group has claimed that they were able to crack 11 million users’ passwords.  This latter topic is beyond the scope of this blog, but suffice it to say that it is important for organizations to enforce strong password policies.  

It is easy to look at the Ashley Madison situation through the tinted lenses of morality and assume nobody should care, doesn’t apply to me or they had it coming.  The reality is, the scenarios at Ashley Madison should keep every security officer awake at night.  Regardless if the attack/theft and ransom is around the morally questionable content of users, or the confidential financial records of customers, the same steps must be made to prevent the same outcome.

In our last blog we talked about privileged account access and how OPAM protects the keys to the kingdom.  But what about the everyday lifecycle of an employee or a contractor?  How do they request and receive access to the assets they need to do their job and nothing more?  How do we take away access rights as their relationship with the company changes (promotions, re-assignments, terminations)?

The Oracle Identity Governance Suite (OIG) enables us to manage entities across different targets/applications in a centralized manner. The solution can address the most complex business and security requirements without changing existing policies, procedures or target sources.


Self-service enables users to raise requests for themselves for access to particular resources or entitlements. It allows for fine-grained configuration such as restricting a user's self-service capabilities by defining policies and rules based on user attributes. For example, taking a scenario where the user is a contractor, certain fields can be denied attributes for such user types. Thus reducing the time of UI customization and preventing users from modifying user data which is not expected.

OIG has built in Admin roles which can be used for carrying out Admin specific tasks. New customized Admin roles can be defined by adding capabilities to a particular organization scope. It allows the creation of attribute based assignment of Admin roles, thus we can define our own membership rules.
Request based approvals enable the respective stakeholders, like role owner or entitlement owner to be involved in the approval process.  This is an important capability for scenarios where a user needs access to a particular account or entitlement. In the latest OIG PS3 release, workflows were introduced as a replacement for approval policies and can provide more logical responses for end user requests.

Role lifecycle management provides an efficient mechanism to automate and scale the provisioning and logical grouping of accesses and controls as well as helping to detect violations which we will cover in more detail in our next blog.

OIG ensures that on-boarding and off-boarding actions are followed based on the start and end dates respectively. It provides a set of access policies which are role based (which in turn can be attribute based) which ensures that uniformity is maintained across various target systems. Role to Access policies mapping is done during role configuration. If this association is done with lifecycle management enabled, it goes through a role owner approval process, thus ensuring role owners are aware of provisioning actions. The provisioning process based on tasks ensures that the proper workflow is followed. Immediate access termination can be done by administrators from the Identity console for users which are found to violate policies whether accidental or malicious. 


Proper sunrise and sunset of account access and entitlements is critical for contractors or in scenarios where access to privileged accounts and entitlements needs to be granted to users – in such cases we can define start and end dates of a particular entitlement and thus control access for a particular period providing another layer of protection against misused access rights.  OIG can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly exploited security gap and opportunity for policy violations that can occur after the dismissal of an employee or contractor – which is the exact scenario that was assumed exploited at Ashley Madison.

Conclusion
The Oracle Identity Governance Suite can be used to establish a lifecycle management process that allows organization to have comprehensive governance of identities. It allows organizations to identify risks and make sure they address the organization’s defined policies. In the next blog in this series we will discuss more on certifications, audit, compliance and reporting and how it ties together with lifecycle management as part of a holistic security solution to enhance compliance.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Wednesday Nov 11, 2015

Managing the Keys to the Kingdom - Privileged/Shared Accounts - Simeio Solutions

This is our second in a series of commentaries on minimizing the risk of becoming the next front page news story on data breaches. 


Privileged and Shared Accounts are some of the most critical assets to manage in an organization since they provide broad access to systems and sensitive corporate and state information. Privileged Accounts are those that typically allow administration of a system or provide higher levels of access within a system such as Linux/Unix ‘root’ or Oracle Database ‘sys’.

There can be many reasons why a user with access to a privileged account does bad things - they were not given an expected raise, denied a vacation or a promotion, or maybe they disagree with the ethical and moral policies of their employer.  Poor password management practices, such as sharing passwords for privileged accounts, or falling prey to smart social hacking is a simple way for others with malicious intentions to gain access to the Keys to the Kingdom.  There can also be privileged escalation attacks where a user  can gain additional access to a system beyond what he or she has been authorized to have by exploiting a vulnerability in that system.

As we discussed in our last blog entry, most data breaches are caused by events such as employees losing, having stolen, or simply unwittingly misusing, corporate assets.  After questioning over 7,000 IT executives and employees across North America and Europe, a recent industry report has found that 31 percent of employees cited simple loss or theft of credentials as the explanation for data breaches they had experienced, ahead of inadvertent misuse by an employee 27 percent of the time. External attacks were mentioned in 25 percent of cases with abuse by malicious insiders at 12 percent. The same selection of causes was cited at much lower levels for business partners.

It is equally important to keep an eye on service accounts associated with test and demo environments.  The principle of least privilege is the key - only assign privileges which are necessary for an employee to effectively do their job, and put the necessary controls in place to remove privileges when no longer warranted. Start with the most restrictive state possible and build out from there.


Organizations are struggling to manage a large number of administrative accounts in a secure, efficient, and scalable way. So the problem is how to handle the situation where we only provide access to a privileged account when it’s required to perform a specific task and how do we audit and report on those situations.

Oracle Privileged Account Manager (OPAM)
Fortunately, there are technologies available to protect an organization’s privileged or shared accounts.  When coupled with industry best practices, a program can be put in place to ensure that your organization doesn’t become the next headline data breach story.  


The following diagram and flow sequence describes how Oracle Privileged Account Manager in conjunction with the Oracle Identity Governance Suite is used to protect the Keys to the Kingdom.  


Flow sequence:
1.    Requester raises request for access to certain systems, groups, etc..
2.    Approver (manager, system owner, etc.) can deny, approve, or delegate request.
3.    As per the roles and policies configured for this request, OIG will provision appropriate access.
4.    (Privileged) User will login to the OPAM self-service console and be authenticated for the request.
5.    OPAM allows the user, for example a database administrator, to use a privileged account by “checking out /check in” a password for a particular enterprise application, operating system, or database server.
6.    ICF connectors provide out of the box integration with various target systems.
7.    When session access is granted, a notification (text message or email) can be sent to an OPAM Admin/IT Security admin.  OPAM Admin/IT Security admin can keep/terminate the session as appropriate.


The request based flow as depicted above ensures that the proper admin team is notified for the access which the present users have. Policies and roles ensure that the only access granted to a user, is that which they require (as per the principle of least privilege). It is always critical to do a periodic review of the policies and roles that are configured.  Sunrise and sunset of accounts and entitlements, access violations and certifications can all be handled by Oracle Identity Manager which will be discussed in a future blog post.  The password policies in place here can ensure strong authentication standards are followed. Additionally, the end users don’t need to remember multiple passwords – they actually never have to see the password for these protected, privileged systems. 

Default passwords are prone to risks so OPAM is configured to automatically change the password and thereby eliminating the possibility of the password being reused.  The system is set to change the password on every check-in, thereby precluding the administrator from reusing the same password again and hence is less prone to sniffing of password of privileged accounts. There may be cases where we need to rollback our privileged account target and in that case OPAM maintains a password history.

OPAM additionally provides session management and auditing capabilities to address various use cases. The OPAM dashboard shows real time status. By creating a single access point to the target resources, OPAM Privileged Session Manager helps administrators to control and monitor all the activities within a privileged session. When session access is granted, a notification can be sent to an auditor. Compliant third-party clients (e.g. Putty, OpenSSH) are supported.  OPSM will monitor SSH session activities through keystroke logging and records the input/output for each session into searchable historical records (transcripts) to support forensic analysis and audit data. OPAM leverages an OPAM agent on the target to capture and record user activities into a MPEG-4 encoded video for Windows playback. OPAM audits and logs all operations and provides its own built-in audit reports.

Conclusion
Additional benefits of OPAM are further realized when deployed in conjunction with some of the other capabilities delivered through the Oracle Identity Governance Suite.  This integration provides an enterprise with a complete governance solution to support ordinary and privileged users in order to meet compliance requirements. We will go into greater depth in our next blog on how OIG provides a simple and robust solution to fully manage the user life cycle with all essential features to secure enterprise assets.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Tuesday Oct 27, 2015

Ensuring You Don’t Become the Next Data Breach Story (Part 1) - Simeio Solutions

Recent headline Cyber Crimes at major retailers, health insurers, and even US Government agencies suggest that those involved were not necessarily performed by criminal masterminds, but rather by individuals that at one time had been properly credentialed to access systems or by individuals that were simply exploring open doors to identify vulnerabilities,. As information technology moves further toward the cloud to provide services, we will start to see more security breaches on a greater scale than ever before.

The hack at Ashley Madison has captured the attention of the media on several continents. And it is of no surprise that the former CEO suggested that the hacking incident may have started with someone who at least at one time had legitimate, inside access to the company’s networks — such as a former employee or contractor. In another instance of data theft from a health insurer, it was determined that critical data and records were not properly encrypted leading to the theft of millions of records of personally identifiable information.

As per "The Federal Trade Commission", Identity theft was once again the number one complaint from Americans this year.


Oracle’s Defense-in-Depth strategy and solutions offered as part of the Oracle Identity Management suite of products can prevent the cyber breaches that we are becoming so accustomed to see on the nightly news.

Today’s blog will focus on a few specific capabilities of Oracle Identity Governance (OIG) and show how they can be used to protect against certain types of common exploits.

1. Privileged/Shared Accounts – Keys to the Kingdom.

Privileged and shared accounts unfortunately exist within every organization - designed at a time when security was an afterthought if even thought of at all. How does one prevent or limit privileged accounts like DB Admins from performing malicious actions when compromised? OIG provides session management and auditing capabilities which become the single point to control and monitor activities within privileged sessions. OIG will provide notification alerts on account checkout. You can also define the life of a session and limit the usage of commands.

2. User life cycle management – Role Appropriate Access and Removal of Orphaned Accounts

OIG allows for attribute based role management for application and administrator roles. One can define custom, fine-grained Admin roles. For new user on-boarding, privileges are based on roles, business rules and requests. We can also define sunrise and sunset of application and entitlements which limits the access of users such as contractors or temporary employees for defined time periods. Normal termination based on end date and immediate termination helps to remove privileges and accesses across all target systems. Simply, an individual should only have access and entitlements within and across applications to be effective at their job, and should lose access when they no longer have a business need.

3. Enforceable Password Policies – Start with the basics

Hard-coded passwords, weak/common passwords, and infrequently rotated passwords are at the center of some of the most commonly exploited attacks on organizations. OIG protects privileged/shared accounts with passwords that are mathematically infeasible to ever guess or break and can rotate them on a regular basis. Likewise, password policies can be set for all protected resources requiring individuals to use complex passwords and require regular password changing – making it impossible for an attacker to simply guess the right key to get them through the front door.

4. Protect and Audit

OIG provides the tools to protect privileged accounts. Checking credentials in and out, also allows us to keep track of who has been using these shared accounts. OIG goes one step further, and allows us to monitor specific session activities – capturing and recording user activities as an MPEG video.

Beyond privileged and shared accounts, OIG has powerful certification capabilities - whereby users, managers, and respective application owners can validate and check the accesses of individuals and their specific entitlements. Segregation of Duties (SOD) analysis is efficient and preventative, warning users about potential violations before even the submission of a request.

5. Encrypt the Data – If it cannot be read, it is useless.

There are many rules and regulations mandating encryption and it makes for sound advice regardless. For example, if you have to comply with the PCI-DSS standard, then credit card numbers need to be stored encrypted. OIG allows for encryption of critical attributes of applications – whether that might be credit card information, social security numbers, or other HR data. Additionally, while outside the core scope of this blog series, tools such as Oracle Advanced Security carries out strong encryption of databases to fully protect sensitive information whether at rest or in transit.

Cyber crime has a devastating economic impact on society and at the individual company level can cause reputation and punitive damage from which an organization might never recover. OIG is a vital information safeguard. It exists to protect sensitive data and information from the ever-evolving landscape of security threats. Regardless of the position that a company takes on the extent or viability of such threats, a strong OIG implementation helps to mitigate the risks of cyber crimes.

What's coming next?

Future blogs in this series will discuss in greater depth how the Oracle Identity Management solutions can prevent your organization from being the next front-page exploit.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Tuesday Sep 22, 2015

New Paper and Webcast on Identity's role in the new Digital Economy

By 2020, more than 7bn inhabitants of Earth will be using over 35bn devices to communicate, collaborate, negotiate and perform transactions.  This new digital economy is only made possible within organizations that are successful at implementing a strategy of true identity management. 

Oracle and The Economist Intelligence Unit have partnered together EIU Paper to deliver a  new paper on the role identity management is playing in helping organizations meet their goals in today's digital economy. This new paper - The Economics of Digital Identity - is based upon an industry survey of over 200  IT executives in manufacturing, financial services and IT technology sectors. 

Key findings include:

  • Almost two-thirds (64%) say digital channels are highly important to their company’s revenue— “mission critical” for 27% and “very important” for 37%
  • Digital channels will be “mission critical” to over one-third of companies in three years’ time
  • 72% say security is the key challenge to managing digital identity, and only 19% are very well prepared to meet the security requirements
  • Enabling customers to control their own identity data is rated as highly effective by 48% of adopters

ISC2 Webcast

As a follow up to this paper, Oracle and ISC2 are sponsoring a live ISC2 Registrationround table webcast to discuss the risks and benefits organizations are faced with today as they look to adopt a modern identity strategy while preparing themselves for the digital economy. This session, "Coin of the Realm: Managing Identity Economics in the Age of Hyperconnectivity" will be hosted by ISC2, Moderated by Brandon Dunlap and our guest presenter will be Siddhartha Agarwal, VP of Product Management & Strategy at Oracle.  Also on the panel, will include Darin Reynolds from DAS/Omnicom and other industry guests.

Register now to attend this exciting session on October 8th, at 1:00pm Eastern time

For more information, please see our Press Release on our activities with The Economist and ISC2.


Thursday Aug 20, 2015

IT Business Edge: Oracle Ties Mobile Security to Identity and Access Management

Oracle Ties Mobile Security to Identity and Access Management

"Arguably, the rapid rise in mobile application and device usage caught most enterprise IT organizations off guard. As a result, a hodgepodge of mobile applications has evolved inside their organizations that have been created using a variety of tools with differing levels of security and governance capabilities. Oracle is making the case that in a world where security is of paramount importance, the time has come to implement a more comprehensive approach to IT security in general—and identity management in particular.

The degree to which that actually occurs will differ wildly across different IT organizations. But the days when IT organizations could try to manage mobile applications in isolation from the rest of the enterprise are rapidly coming to a close."  (complete article)

Tuesday Aug 18, 2015

Oracle's PS3 Release Off to Great Start with SearchOracle Articles

SearchOracle took part in a set of interviews with Oracle's Jim Taylor (Sr Director of Product Management) and another interview with one of our key partners Aaron Perry with Aptec LLC

Patch for Oracle Identity Management aims at mobile security

"Oracle Identity Management 11gR2 PS3 uses contextualization -- a method that takes into account the user, the device and the location to create context for an access request -- to automatically tailor security to the needs of a user working on a secure computer in the office compared to a user working on an iPad in a coffee shop"

(article)

Aptec names use cases for Oracle Identity Management patch

"Perry believes that more and more people are  starting to take identity management seriously. According to Perry, government organizations and Fortune 100, 500 and 1,000 companies, among others, have been waiting for the development of a single platform that they can use for both enterprise and mobile identity management.

Now that Oracle has developed it, Perry expects to see a lot of clients wanting to upgrade from a previous version of Oracle Identity Management or homegrown systems onto Identity Management 11gR2 PS3 in the next six to 12 months." (article)

Wednesday Jul 22, 2015

Press Release: Oracle Integrates Mobile Security into Identity and Access Management Platform


Today, Oracle released a Press Release announcing the availability of Identity Management 11gR2 PS3 (Patchset 3). This update to the IDM 11gR2 solution brings forth some groundbreaking new capabilities for our customers to enable organizations to realize success in the areas of new digital business and unifying identities across applications. This greatly simplifies the on-boarding of new users, applications and services such as mobile and cloud.  

Some of the new aspects of the PS3 update include a new "Business Friendly" user interface which provides a single console view of your provisioning, approval workflows, entitlement management, and more.

The update also introduces new capabilities around mobile security with the expansion of Oracle's Mobile Security offering to include Enterprise Mobility Management. This is achieved through the inclusion of Mobile Device Management capabilities as well as a consolidated policy management framework for simplified provisioning of devices, applications and access.

New materials that have been created to help you evaluate this new update include:

Stay tuned to the Oracle Identity Management product page for the latest information on how Oracle is able to solve today's business challenges, and stay on top of the latest information with Oracle's Twitter and Facebook pages.

Thursday Jul 16, 2015

Fragmenting the Path to Mobile

We have all experienced it in one way or another. Either as an applications owner who has seen the scale of the issue grow over time, the line of business owners who have to rely upon what IT is able to deliver, the employees who work with the complex infrastructure and no clear path to the future, or worse, the customers who are potentially impacted by it all.  What are we talking about here?   Identity Fragmentation.  

 So years ago you stand up an HR system with it's own database repository and it's own user account system.  You go to a secondary vendor to help streamline the provisioning and approval workflow for on-boarding and certifications. You leverage another vendor to assist with auditing of privileges and entitlements.  All of this in support of the one application, and each additional layer you add creates it's own silo of identity information.

Now you want to stand up a payroll application.  It too requires it's own repository for events, for user identities, workflow engines, and all the needs around auditing of privileges of entitlements.  More and more layers must be built and very little of this can be re-purposed and re-used.

 The challenged organizations get into is the repetitive efforts they are undertaking in setting up the duplicate components, having to re-create user accounts and the patchwork integration approach between applications which are not designed to share this credential information from the start.  This leads to high costs to support, audit risks to the organization, and a challenge to respond to new requests for new applications and services such as Mobile and Cloud. 

One of the biggest detractors in businesses moving to the cloud is the inability for customer's legacy applications being "cloud ready" in that they are not able to externalize user identities to the new cloud applications which can be detrimental to the success of the cloud migration.

 Oracle has recently written a eBook (Establishing a Mobile Security Architecture) which has an entire chapter dedicated to the issues of Identity Fragmentation in today's enterprises as they related to mobility.  Download this free eBook and take a look at Chapter 5, to learn more about Identity Fragmentation in the enterprise today, and to learn best practices for reducing your exposure and developing a more flexible architecture that scales for future on-prem, cloud or mobile applications.

For more information on Oracle's approach to Identity Unification with Oracle's Identity Management 11gR2, visit our website for more details.


Tuesday May 19, 2015

Now Available! Oracle Identity Management 11gR2 PS3

The Oracle Identity & Access Management team is announcing the General Availability of the latest update to our well recognized Identity Management 11gR2 PS3 (Patchset 3).  This update to the 11gR2 solution brings forth some groundbreaking new capabilities for the Oracle offering and for our customers in the areas of a new "Business Friendly" user interface which greatly simplifies the tasks associated with provisioning and managing the tasks associated within today's more robust identity-driven enviroments. 

The update also introduces new capabilities around mobile security with the expansion of Oracle's Mobile Security offering to include Enterprise Mobility Management. This is achieved through the inclussion of Mobile Device Management capabilities as well as a consolidated policy management framework for simplified provisioning of devices, applications and access.

A more detailed look at Oracle Identity Management 11gR2 PS3 updates include:

    • Business Friendly User Interfaces in the Oracle Identity Governance Suite 
    • Role-based, task driven interface to request, approve and certify access
    • In line Segregation of Duties detection
    • Intelligent Access Catalog with Access Advisor and categorization filtering
    • Role-Lifecycle Management and Analytics
    • Integrated Mobile Administration into the Identity Governance and Access Management consoles for simpler administration and tighter security controls
    • Lightweight Mobile Device Management to provide a complete mobile security solution
    • Directory virtualization in Oracle Unified Directory 
    • PIN-les 2 Factor Authentication has been added to the Mobile Authenticator
    • Enhanced Privileged Account Management
      • Windows session recording
      • Increased target support, including Windows local accounts, SAP and Network Devices
    • Expansion of the Automated Patching and Installer to further simplify operation of the suite
For more information on Oracle's Identity Management offerings and the new Patchset 3 update, please visit Oracle.com/Identity

Tuesday Mar 03, 2015

Does Your Company Recognize Your Online Identity - Anywhere, Anytime?

Our mobile IDs travel with us to work, back home, and on the road. Businesses are learning to cope.

by Lynne Sampson

Like most aspiring writers, I loved going to the library as a kid. I had a library card as soon as I was old enough to sign my name—creased and frayed from overuse, tucked inside my mom’s wallet. Mom and I handed our cards to the librarian at each visit, and she looked up our names in the library register and compared our signatures to the ones on our cards.

This old-fashioned, analog ID system was around for a long time. It was less than 10 years ago that my local library replaced paper cards with plastic ones, with a photo ID and a magnetic stripe.

Today, analog IDs have gone the way of cursive script. Nearly all IDs are digital. Since the rise of the internet, our banks, employers, and apps ask us for a plethora of user names, passwords, and security questions to prove that we are who we say we are.

This is a nuisance for absent-minded consumers who make frequent use of the “Forgot My Password” button. But it’s an even bigger problem for the companies and employers that we do business with.

67% of Fortune 500 companies connect with customers via mobile app

“Mobile has become the platform of choice for everything from work to vacationing,” said Naresh Persaud, senior director of security product marketing at Oracle. “That adds a layer of complexity to identity management that most organizations haven’t had to deal with before.”

Consider the way we work. “Many companies have salespeople who travel constantly. They use their tablets all the time, and they want to log into their applications, track their deals, check and assign new leads. They like the mobile experience because it’s familiar and easy to navigate,” Persaud said.

What’s not so easy is provisioning all those mobile devices for a corporate network—especially as more and more of us use our personal devices for work.

89% use personal devices for work purposes

Adding further complexity to the mix, a growing volume of marketing, selling, and hiring is done via social channels like Facebook, Twitter, and LinkedIn. “Many of us need social tools integrated into our mobile identities,” Persaud continued. For example, one B2B company tracks new leads coming in from marketing campaigns and then checks the prospect’s ID on LinkedIn. If the sales manager finds a rep who is already part of the prospect’s LinkedIn network, he’ll assign the lead to that rep, using existing relationships to gain an introduction.

And it’s not just customers or employees who companies must think about. “At some companies, like online music providers, the product itself is digital.” This is becoming more common as the “sharing economy” (driven by apps like Uber and Airbnb) takes flight. This means keeping track of which user has access to which products and services. “We’ve entered a world of ‘digital abundance,’ where our mobile ID becomes the currency of entitlement,” Persaud said.

What does it take to manage our mobile identities? How do companies give employees and customers access to all their apps, systems, and products from a multitude of devices?

Companies need to establish policies, technologies, and best practices to manage and audit the use of mobile devices. Mobile should be an integral part of your company’s larger security and identity strategy.

“You need an integrated platform that provisions access to data and systems, manages the identities of people, and authenticates devices,” Persaud explained. “Integrated” is the key ingredient when it comes to managing mobile identities. Using separate security solutions for data, devices, and people makes it more complicated for customers and employees to get access to the tools they need. Plus, a single identity for each user—no matter which device they’re on—can help you maximize conversion and revenue.

“A great example of this is Beachbody,” Persaud said. Beachbody provides home fitness products and creates a community for members trying to reach their physical fitness goals. “Instead of physical locations, Beachbody delivers products and services via the web and mobile devices.” To connect with millions of customers and thousands of fitness coaches, Beachbody needed to digitize identity and do it securely across multiple channels. “Mobile was perhaps the most important part of their identity management project,” Persaud added, “because it’s become the platform of choice for consumers.”

Our mobile identities are somewhat akin to DNA—unique, evolving, and hugely complicated. Someday, our DNA might actually be the key that we use to access all technology and services, from pension checks to downloaded music. Until that happens, though, companies need to work with mobile identities. That means working with an integrated security suite that includes mobile as a consideration equal to data and people.

See the Oracle Mobile Platform at Mobile World Congress

Learn about Oracle Identity Management Solutions


Friday Feb 27, 2015

New eBook: Establishing a Mobile Security Architecture

Today, just as organizations are starting  to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave of mobility as a new generation of devices and applications are coming online to take advantage of these new capabilities in today’s corporate environments.

"Establishing a Mobile Security Architecture" provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to better understand the best application of technologies for each area of mobility within your organization and how to reduce risk, then download this free copy of  "Establishing a Mobile Security Architecture".

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Register now for your free copy of the "Establishing a Mobile Security Architecture" eBook.

Wednesday Feb 18, 2015

ISACA Webcast Replay - Manage, Monitor & Audit the Mobile User

The greatest threat of a data breach –intentional or not - continues to be from employees, contractors and partners – people you are supposed to be able to trust. On February 12th, Oracle presented to ISACA members on the critical nature of establishing policies, technology and best practices to manage, monitor and audit the use of mobile devices as part of a larger Identity Management strategy.

Our presenter was Mark Wilcox, who is a Senior Principal Product Manager at Oracle. Leveraging his 20 years of experience in the computing industry and the Identity and Access space, Mark delivered a very focused session on best practices and industry guidance that would benefit any organization evaluating their mobile strategy.   Please click on the following link to replay the event from February 12th, 2015.

For more information on ISACA, and how they can support you on a student, professional or academic level, please visit them on their website at www.isaca.org  or directly on their Membership Page

Replay Webcast Here


Tuesday Jan 06, 2015

Oracle Magazine: Reducing Risk While Mastering the Digital Identity

Just released - the latest issue of Oracle Magazine is focused on security and features two great case studies you will want to share with your customers. These two stories highlight how companies are reducing risk and at the same time mastering digital identity. "Businesses need identity management systems to provide a single point of access and control while reducing costs and improving operational efficiency. Learn how two organizations are turning to the Oracle Identity Management solution to enable growth and business transformation."( Phillip Gill, Oracle Mag 2015)


Oracle Magazine, January - February 2015

A United Workforce
Vodafone
At Vodafone Group, the world’s second-largest telecommunications company, the first step in adapting to the mobile, social, and cloud evolution was to unite corporate identity and access management.

Empowering Customers
Electrabel
Electrabel GDF Suez, the largest supplier of electricity and gas in Belgium, is counting on identity management to help it reach out to millions of its residential customers to reduce energy consumption.

Tuesday Sep 23, 2014

Pre-Registration Now Open for eBook: Oracle Mobile Security Primer

Today, just as organizations are starting   to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave as new generation devices and applications are coming online to take advantage of these new capabilities in today’s corporate environment.

Pre-Registration has just opened for the new eBook: Oracle Mobile Security Primer which provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to stay up on the latest trends around mobile security, then pre-register for this new eBook: Oracle Mobile Security Primer.

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Registration will allow Oracle to provide notification to you upon its availability in both eBook and printed form by McGraw-Hill.

www.mhprofessional.com/mobsec

Wednesday Aug 27, 2014

A Journey from Customization to Standardization - Umer Aziz

It was a cold evening back in fall 2010 when a succinct but impressive cake cutting ceremony was held at Oslo’s massive indoor stadium, Telenor Arena. The ceremony progressed with some speeches and presentations, leading to a delicious cake and refreshments.  The gathering also comprised of brilliant IT Security and Identity & Access Management professionals, who were accompanied by personnel from other IT disciplines. Most of the audience showed great enthusiasm and pitched very interesting questions which were responded with great passion and confidence by those energetic professionals.

It was the launching ceremony of an application that received OracleFusion Middleware Innovation award at Oracle Open World, in the same year. The application was built on the concept of ‘Identity as a service’ for group companies and proved to be a great addition in application portfolio of our Shared Services organization.

Customized GUI over top of Oracle Identity Manager
The application was built as a customized layer upon Oracle Identity Manager 10g and offered user friendly Certification audits and Access Request Management, powered by a multi-tenant architecture. The features were a bit early of their time in IdM world and were key reasons to build customized layer over top of standard solution of Oracle. Though it was not the first time that we built customized application using APIs of standard identity manager, we had already done that in the form of “user creation management GUI” on top of Oracle Identity Manager 9i.

Shortcomings of Customized solution
Though customization results a product according to customer’s desire and fulfills requirements more precisely, but we shall have to believe that technology has somewhat matured recently and companies are offering off-the shelf solutions, better than the traditional tailored products.

Following are the major shortcomings of Customized solution that were faced.

  • A tailored solution is always more expensive than using an off-the shelf product. The logic is simple – customized product are made for a single customer and consequently all development expenses are borne by one entity.
  • Upgrade to newer version is always a big challenge when using a customized solution, but it becomes even bigger when customization is heavily dependent upon the application interfaces (APIs and WebServices). I still remember the mayhem while upgrading from OIM 10g to OIM 11gR1 :)
  • Maintenance and development of a customized solution (application) requires considerable time and resources as compared to the standard solution. A dedicated team of programming geeks is a must, for successfully running a tailored solution. Another relevant challenge is training and coaching of newly hired resources. Every time a new resource is hired to fulfill a vacant position, a hands-on training will be required for him to understand the architecture and approach used for customization.
  • The product support community does not offer any support for a customized product, so if you get a bug or challenge in your customized solution, you will be the only one to resolve that.
  • It is admitted by many of the solution providers, that customization has resulted in slow performance of their application instances. Allowed customization approaches use standard APIs or related interfaces to interact with core application, which have always been considered performance degraders due to the formalities of applications towards external interfaces. This challenge is not only true for Identity Management but similar feedback has been reported by experts of other products i.e. Oracle E-business suite and Oracle SOA suite.


Oracle’s Beta testing program
The Beta Testing Program is a joint venture featuring Oracle and its customers. This initiative provides a structured approach to include users of Oracle applications from selective organizations in the Beta Testing Programs. The overall goal is to allow selected users to perform in depth testing and analysis of Oracle's new products and releases in order to help Oracle deliver better products to market. As a beta testing participant, testers perform in-depth testing of the next generation of Oracle products. This also helps to build personal knowledge base, become an industry recognized technology leader, and help influence Oracle's future product direction.

Our organization, as a Shared Services Solution Provider of Identity and Access Management, was also involved in the beta testing for patch set 2 (PS2) of Identity and Access Management suite 11gR2. The focus area from our side was limited to Identity Governance – more specifically, features of Multi-Tenancy and Access Request Management.

Decommissioning of Tailored layer and rollout of Off-The-Shelf Solution
It's a common misunderstanding that boundaries limit creativity. It may sounds unreasonable, but boundaries can actually boost creativity. Instead, we need to impose boundaries by tightening our processes and one way to achieve this effectively is with Off-The-Shelf solutions.

As involvement in beta testing program resulted in the confidence on much awaited functionalities, last week we have decided to decommission the customized layer by moving functionalities in OIM 11gR2 PS2. The work has actually been started and intention is to complete before summer vocation of 2014. We're crossing our fingers and hoping that the rollout of Off-The-Shelf solution stays fine.

Umer Aziz is an ITIL Specialist Change Manager with Telenor Global Shared Services and has an extensive consulting background in Identity and Access Management in real world deployments. 

Thursday Jul 31, 2014

Identity Management at Oracle OpenWorld 2014


Are you registered for Oracle OpenWorld 2014 to be held in San Francisco from September 28th to October 2nd? Visit the Oracle OpenWorld 2014 site today for registration and more information. We have highlighted some of the most talked about sessions that attendees will be trying to get in to see this year.  For the latest information on sessions (such as schedule changes to dates, times, venue locations) please continue to check back at the links below.

Business Transformation Case Studies in Identity Consolidation (CON7989) - This session will explore how customers are using Oracle Identity Management to deliver a unified identity management solution that gives users access to all their data from any device while providing an intelligent centralized view into user access rights. See how Oracle Identity management can securely accelerate your adoption of cloud services in the new digital economy.

Identity Governance Across the Extended Enterprise (CON7968) - In this session, see how Oracle's Identity Governance solution reduces risks and costs, while providing fast access to new services through an intuitive user self-service solution to thrive into today's economy.

Securing The New Perimeter: Strategies for Mobile Application Security (CON7993) - In this session, we will cover how enterprise mobility and the Internet of Things are both new IT endpoints that require melding device and user identities for security.

Access without Fear:Delivering an Optimale Multi-Channel user experience (CON7995) - In this session, we will review the role of the Oracle Access Management Platform and how it delivers an optimal user experience while guaranteeing the security of all access events.

Identity as a Service - Extend Enterprise Controls and Identity to the Cloud (CON8040) - In this session, we will cover how the Oracle Cloud Identity Service extends enterprise controls to the cloud, automating SaaS account provisioning, enabling single sign-on and providing detailed activity reports for today's customers.

Check back often, for a complete listing of all sessions available at Oracle OpenWorld 2014.

Identity Management executives and experts will also be at hand for discussions and follow ups. And don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.

Follow the conversation on Oracle OpenWorld 2014 on Twitter with #OOW14 and as always, engage with us @oracleidm.

We recommend the use of the Schedule Builder tool to plan your visit to the conference and for pre-enrollment in sessions of your interest. You can search identity management sessions using the term “identity management” in the Content Catalog. We hope to see you there!

Tuesday Jul 15, 2014

Three Reasons Management Will Thank You For Implementing IDM Monitoring - Aurionpro

Identity Management (IDM) platforms protect your most critical enterprise assets: your apps and your enterprise data.  Many companies spend significant investments designing and implementing IDM solutions, but an alarmingly few actively monitor the health of them. That’s like driving a new car for 30,000 miles without checking the oil. Like cars, all software products require maintenance. Active monitoring provides information in advance of potential failures and will help keep your IDM solution running smoothly. Since IDM solutions typically involve various layers of technology and include integrations with a number of source systems, monitoring should be seen as a critical component of a successful long-term IDM strategy.  

It’s unfortunate that IDM monitoring is often times evaluated after the IDM solution is already in place as there are significant benefits that can be overlooked. Three of these compelling reasons are:

1.    Up to 10X reduction in cost of issue resolution

It’s a well-known fact that issues are much more expensive to address in a production environment than during testing cycles. Barry Boehm, the famous Computer Scientist, quantified that the cost of finding and fixing a software problem after delivery is often 100 times more expensive than finding it earlier in the cycle. In our experience, the cost is approximately 10X more expensive, but either way, it’s clear that the earlier you find an issue the better.

Active monitoring can be an enormous cost saver due to its early symptom identification capabilities. Finding an issue before it strikes based on early warnings uncovered by active monitoring technologies, and resolving the issue in a development or testing environment can be a huge cost saver. If you’ve ever had to solve a complex performance- or integration-related issue in a production environment, I’m sure you can relate to just how important this can be.

In a large-scale IDM deployment, for example, there can be any number of root causes that might result in a Single Sign On (SSO) failure. The issue may reside at the application layer, the integration layer, the network layer, or the database layer.  Without a comprehensive monitoring solution that consolidates the data from each of the system’s components, it could be an onerous effort to sift through the extensive set of logs with the hope (and a prayer) that the issue can be identified.  We experienced this exact scenario recently and, thankfully, we had Oracle’s Enterprise Manager in place, which helped us to determine that our Directory replication was failing. Without this monitoring tool, it would have been a much more tedious and costly process to identify and resolve the issue.

The beauty of an active monitoring solution is that it immediately alerts you about the issue and provides sufficient information to initiate quick remedial action.  It also provides detailed reports that aid in the understanding of the system performance and stability trends.

2.    Most companies achieve ROI break even within 1-2 years

Putting an active monitoring solution in place is primarily a one-time effort and cost, as the ongoing resource needs to support the technology post-deployment are minimal. The million dollar question is whether or not the cost of the technology and the resource needs to set up such a solution is worth it? The short answer is YES. Avoidance of a single production-level issue (as was described above) might actually pay for the entire system by itself. Such IDM monitoring solutions also reduce manual monitoring costs while minimizing system down time, both of which also add up to hard cost benefits. We have often observed that the cost reductions and cost avoidance that result from an active Identity Management monitoring solution pay for the cost of the solution within a 1-2 year period.

3.    Identity Management monitoring solutions can be implemented quickly, and in phases


As is the case with most software categories these days, there are a number of options available that can help to achieve the benefits of active IDM solution monitoring. We’ve had a ton of success with Oracle’s Enterprise Manager (OEM) 12c product, Oracle’s integrated enterprise IT management product line. Oracle Enterprise Manager creates business value by leveraging the built-in management capabilities of the Oracle stack for traditional and cloud environments, allowing customers to achieve efficiencies while exponentially increasing service levels. If you’re deploying parts of Oracle’s Identity Management Suite, you’ll want to heavily consider deploying OEM.

Key OEM features include:

•    Automated Discovery of Identity Management Components
•    Performance and Availability Monitoring
•    Service Level Management

•    Configuration Management

There are also other licensed and open source monitoring solutions available on the market today. An interesting alternative to check out is Nagios, a viable open source solution for network and application monitoring. Homegrown solutions can also meet many system and network monitoring needs.

Regardless of the technology that is selected, it is recommended, in many cases, to take a phased approach when implementing such a solution. In this way, the processes for ongoing monitoring and addressing potential issues flagged by the monitoring solution can be ironed out while proving out the value and importance of the solution. The solution needs to cover the critical failure points, across database, application, network, machine, and hardware layers. For many Identity Management deployments, database failures are often the culprit of production-level issues. In provisioning solutions, connectivity to target systems need to be monitored closely as the integrations can often times be the failure points. Based on the type of IDM solution being implemented, monitoring should obviously be set up for the more likely failure points during the early phases of the monitoring solution deployment.

Conclusion

Monitoring is an important component to ensure a successful Identity Management solution and greatly helps to improve the health and stability of any IDM platform. To learn more about our best practices gained from leading hundreds of Identity Management implementations, please contact Kunwar Nitesh, an Associate Director in Aurionpro's India-based IDM delivery center, and a true domain and implementation expert across Oracle's Identity and Access Management solutions.

Thursday Jun 12, 2014

BYOD is not a fashion statement; it’s an architectural shift - by Indus Khaitan

Ten years ago, if you asked a CIO, “how mobile is your enterprise?”. The answer would be, “100%, we give Blackberry to all our employees.”

Few things have changed since then:

1.    Smartphone form-factors have matured, especially after the launch of iPhone.
2.    Rapid growth of productivity applications and services that enable creation and consumption of digital content
3.    Pervasive mobile data connectivity

There are two threads emerging from the change. Users are rapidly mingling their personas of an individual as well as an employee. In the first second, posting a picture of a fancy dinner on Facebook, to creating an expense report for the same meal on the mobile device.

Irrespective of the dual persona, a user’s personal and corporate lives intermingle freely on a single hardware and more often than not, it’s an employees personal smartphone being used for everything.
A BYOD program enables IT to “control” an employee owned device, while enabling productivity. More often than not the objective of BYOD programs are financial; instead of the organization, an employee pays for it.  More than a fancy device, BYOD initiatives have become sort of fashion statement, of corporate productivity, of letting employees be in-charge and a show of corporate empathy to not force an archaic form-factor in a world of new device launches every month.

BYOD is no longer a means of effectively moving expense dollars and support costs. It does not matter who owns the device, it has to be protected.  BYOD brings an architectural shift.  BYOD is an architecture, which assumes that every device is vulnerable, not just what your employees have brought but what organizations have purchased for their employees. It's an architecture, which forces us to rethink how to provide productivity without comprising security.

Why assume that every device is vulnerable?

Mobile operating systems are rapidly evolving with leading upgrade announcement every other month. It is impossible for IT to catch-up. More than that, user’s are savvier than earlier.  While IT could install locks at the doors to prevent intruders, it may degrade productivity—which incentivizes user’s to bypass restrictions. A rapidly evolving mobile ecosystem have moving parts which are vulnerable.

Hence, creating a mobile security platform, which uses the fundamental blocks of BYOD architecture such as identity defragmentation, IT control and data isolation, ensures that the sprawl of corporate data is contained.

In the next post, we’ll dig deeper into the BYOD architecture.

Wednesday May 07, 2014

Deploying the Oracle IAM Suite with the Deployment Wizard - by Alex Stanciu (IDMWORKS)

With the release of Identity & Access Management suite R2 PS2 (11.1.2.2.0), Oracle has released a new deployment tool, called the Oracle Identity and Access Management Deployment Wizard, to automate the installation and configuration of products related to the IAM suite.



With the Deployment Wizard, you can fully automate the installation, configuration and integration of WebLogic Server, SOA Suite, Oracle Identity Manager, Oracle Access Management, Oracle Unified Directory, Oracle HTTP Server and Webgates. The tool allows you to select one of three deployment topologies: OIM, OAM or OIM integrated with OAM and OUD. As an Oracle Partner in this space, IDMWORKS has taken our extensive experiences in this field and pulled together a detailed paper on the usage of this Deployment Wizard that will help to give insight to those of you looking for help in understanding how to take advantage of the latest capabilities from Oracle in the deployment of Oracle's Identity and Access Management offerings. For this detailed whitepaper, please follow the link to the IDMWORKS website


Monday May 05, 2014

Is Mobility Creating New Identity and Access Challenges? - by Marcel Rizcallah

Are mobile, social, big data and cloud services generating new Identity and Access Management challenges? Guest blogger Marcel Rizcallah is the EMEA Domain Leader for Security at Oracle Consulting and today will highlight some of the new IAM challenges faced by customers with Cloud services and Mobile applications.

Sales force users ask more often for iPad or mobile devices to access Cloud services, such as CRM applications. A typical requirement is to use an AD or corporate directory account to login seamlessly into the Cloud service, either with a web browser or a downloaded application on a device. The benefits, compared to a different login/password provided by the Cloud provider, is more security and better identity governance for their organization; password policy is enforced, CRM services are granted to sales people only and Cloud accounts are de-provisioned immediately when people leave.

Integrating a mobile device browser with the intranet is easily addressed with federation solutions using the SAML standard. The user provides his login and password only once and tools such as Oracle Mobile Security Suite and Oracle Access Manager provide the end-to-end integration with the corporate directory.

Authenticating through a downloaded application provided by the Cloud service may be more complex; the user authenticates locally and the device application checks first the credentials in the cloud environment. The credentials are relayed to the organization’s intranet using REST services or standards such as SAML to validate the credentials.

Integrating IAM services between SaaS applications in the Cloud and the corporate intranet may lead to a weird situation. Let’s look at this example: one of my customers discovered that their CRM SaaS application, provided by a public Cloud environment, was supposed to be SAML compliant, yet did not correctly generate one of the SAML messages when authenticating through a downloaded application on the device. Despite all parties agreeing that this is a bug, fixing the Cloud application was not an option because of the possible impact on millions of Cloud customers. On the other hand, changing the Oracle Access Manager product, fully compliant to SAML 2.0, was not an option either. The short term solution would be to build a custom credential validation plug-in in Oracle Access Manager or an integration tool, such as Oracle API Gateway to transform the wrong message on the fly! Of course this should not stay a long term solution!

When we ask customers which SSO or Identity Governance services are the priority for integrating Cloud SaaS applications with their intranet, most of them says it’s SSO. Actually SSO is more urgent because users want to access Cloud services seamlessly from the intranet. But that’s the visible part of the iceberg; if Cloud accounts are not aligned to employees referential or sales force users, customers will end up paying more license fees to the Cloud provider than needed. SSO with Oracle Access Manager will improve customer experience, but cloud provisioning / de-provisioning with Oracle Identity Governance will optimize Cloud costs.

Use the following links to learn more about Oracle IDM products and Oracle Consulting Services for IDM.

Wednesday Apr 30, 2014

Identity Enabling Mobile Security - by Suresh Sridharan

Smart Connected Device Growth: The growth of smartphones and tablet devices has been phenomenal over the past 4 years. Global smartphone shipments have grown extensively from approximately 100m units in 2010 to 725m units in 2012, reaching 1b devices in January 2014. Simultaneously, tablet shipments have grown from 5m units in 2010 to approximately 125m units in 2012. Tablet numbers are likely to touch 400m units by 2017.

This explosion in the shipment of smart connected devices has also led to a significant change in users’ behavior and expectations.

In a corporate environment, the phenomenon of Bring Your Own Device (BYOD) is gaining momentum. Gartner predicts that 38% of all organizations will have an “all BYOD” policy by 2016, up from 6% today (2014). If the same device is being used for both personal and work purposes, users will expect the same experience across corporate and personal apps. Further, employees regularly use similar apps for both business and personal purposes examples include: WhatsApp, Skype and Facebook..

Mobile devices present benefits both for organizations and for individuals. Surveys show that a BYOD policy helps employee gain an extra 37 minutes of productive time every week. To increase sales productivity, some of our customers are mobile-enabling sales teams to ensure that they have access to the latest information when they meet with customers.

Security is one of the most significant mobile device challenges both for consumers and for enterprises. Although mobile-commerce is growing rapidly (to $25b in the US alone), 60% all retail transactions that get to the checkout stage are abandoned with security as one of the main causes, according to recent data.

As corporate data on the device co-mingles with user data on a personal device, it becomes challenging for enterprises to impose restrictions on the use of devices. About 40% of adults do not protect their smartphones with a passcode, with married adults that number goes up to 45%.
In order to address security challenges, IT should be able to define and enforce policies that meet security and privacy standards to protect intellectual property, other corporate assets and optionally, personal employee data.

There are three things to consider while implementing security in the new mobile age:

  1. Implement a strong identity management system that allows one to manage users and ensure that they are able to access information based on the principle of least privilege to carry out the necessary tasks.
  2. Implement an access management solution to secure data based on who is accessing it and the risk profile of that specific transaction.
  3. Implement a mobile security solution that will help secure data on the device and ensure corporate security policies are enforced on the device from which assets are being accessed.

In essence, organizations need to ensure that application data is secured based on the user accessing it and the device and location from which it is being secured. Securing the device and the user identity, in isolation, is not sufficient.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« May 2016
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today