Tuesday Jul 02, 2013

Taking the training wheels off: Accelerating the Business with Oracle IAM by Brian Mozinski (Accenture)

Today, technical requirements for IAM are evolving rapidly, and the bar is continuously raised for high performance IAM solutions as organizations look to roll out high volume use cases on the back of legacy systems.  Existing solutions were often designed and architected to support offline transactions and manual processes, and the business owners today demand globally scalable infrastructure to support the growth their business cases are expected to deliver.

To help IAM practitioners address these challenges and make their organizations and themselves more successful, this series we will outline the:

• Taking the training wheels off: Accelerating the Business with Oracle IAM
The explosive growth in expectations for IAM infrastructure, and the business cases they support to gain investment in new security programs.

• "Necessity is the mother of invention": Technical solutions developed in the field
Well proven tricks of the trade, used by IAM guru’s to maximize your solution while addressing the requirements of global organizations.

• The Art & Science of Performance Tuning of Oracle IAM 11gR2
Real world examples of performance tuning with Oracle IAM

• No Where to go but up: Extending the benefits of accelerated IAM
Anything is possible, compelling new solutions organizations are unlocking with accelerated Oracle IAM

Let’s get started … by talking about the changing dynamics driving these discussions.

Big Companies are getting bigger everyday, and increasingly organizations operate across state lines, multiple times zones, and in many countries or continents at the same time.  No longer is midnight to 6am a safe time to take down the system for upgrades, to run recon’s and import or update user accounts and attributes.  Further IT organizations are operating as shared services with SLA’s similar to telephone carrier levels expected by their “clients”.  Workers are moved in and out of roles on a weekly, daily, or even hourly rate and IAM is expected to support those rapid changes.  End users registering for services during business hours in Singapore are expected their access to be green-lighted in custom apps hosted in Portugal within the hour.  Many of the expectations of asynchronous systems and batched updates are not adequate and the number and types of users is growing.

When organizations acted more like independent teams at functional or geographic levels it was manageable to have processes that relied on a handful of people who knew how to make things work …. Knew how to get you access to the key systems to get your job done.  Today everyone is expected to do more with less, the finance administrator previously supporting their local Atlanta sales office might now be asked to help close the books for the Johannesburg team, and access certification process once completed monthly by Joan on the 3rd floor is now done by a shared pool of resources in Sao Paulo.  

Fragmented processes that rely on institutional knowledge to get access to systems and get work done quickly break down in these scenarios.  Highly robust processes that have automated workflows for connected or disconnected systems give organizations the dynamic flexibility to share work across these lines and cut costs or increase productivity.

As the IT industry computing paradigms continue to change with the passing of time, and as mature or proven approaches become clear, it is normal for organizations to adjust accordingly. Businesses must manage identity in an increasingly hybrid world in which legacy on-premises IAM infrastructures are extended or replaced to support more and more interconnected and interdependent services to a wider range of users. The old legacy IAM implementation models we had relied on to manage identities no longer apply.

End users expect to self-request access to services from their tablet, get supervisor approval over mobile devices and email, and launch the application even if is hosted on the cloud, or run by a partner, vendor, or service provider.

While user expectations are higher, they are also simpler … logging into custom desktop apps to request approvals, or going through email or paper based processes for certification is unacceptable.  Users expect security to operate within the paradigm of the application … i.e. feel like the application they are using.

Citizen and customer facing applications have evolved from every where, with custom applications, 3rd party tools, and merging in from acquired entities or 3rd party OEM’s resold to expand your portfolio of services.  These all have their own user stores, authentication models, user lifecycles, session management, etc.  Often the designers/developers are no longer accessible and the documentation is limited.  Bringing together underlying directories to scale for growth, and improve user experience is critical for revenue … but also for operations.

Job functions are more dynamic.... take the Olympics for example.  Endless organizations from corporations broadcasting, endorsing, or marketing through the event … to non-profit athletic foundations and public/government entities for athletes and public safety, all operate simultaneously on the world stage.  Each organization needs to spin up short-term teams, often dealing with proprietary information from hot ads to racing strategies or security plans.  IAM is expected to enable team’s to spin up, enable new applications, protect privacy, and secure critical infrastructure.  Then it needs to be disabled just as quickly as users go back to their previous responsibilities.

On a more technical level …
Optimized system directory; tuning guidelines and parameters are needed by businesses today. Business’s need to be making the right choices (virtual directories) and considerations via choosing the correct architectural patterns (virtual, direct, replicated, and tuning), challenge is that business need to assess and chose the correct architectural patters (centralized, virtualized, and distributed)

Today's Business organizations have very complex heterogeneous enterprises that contain diverse and multifaceted information. With today's ever changing global landscape, the strategic end goal in challenging times for business is business agility. The business of identity management requires enterprise's to be more agile and more responsive than ever before. The continued proliferation of networking devices (PC, tablet, PDA's, notebooks, etc.) has caused the number of devices and users to be granted access to these devices to grow exponentially. Business needs to deploy an IAM system that can account for the demands for authentication and authorizations to these devices.

Increased innovation is forcing business and organizations to centralize their identity management services. Access management needs to handle traditional web based access as well as handle new innovations around mobile, as well as address insufficient governance processes which can lead to rouge identity accounts, which can then become a source of vulnerabilities within a business’s identity platform. Risk based decisions are providing challenges to business, for an adaptive risk model to make proper access decisions via standard Web single sign on for internal and external customers,. Organizations have to move beyond simple login and passwords to address trusted relationship questions such as: Is this a trusted customer, client, or citizen? Is this a trusted employee, vendor, or partner? Is this a trusted device?

Without a solid technological foundation, organizational performance, collaboration, constituent services, or any other organizational processes will languish. A Single server location presents not only network concerns for distributed user base, but identity challenges. The network risks are centered on latency of the long trip that the traffic has to take. Other risks are a performance around availability and if the single identity server is lost, all access is lost.

As you can see, there are many reasons why performance tuning IAM will have a substantial impact on the success of your organization.  In our next installment in the series we roll up our sleeves and get into detailed tuning techniques used everyday by thought leaders in the field implementing Oracle Identity & Access Management Solutions.

Wednesday Jun 26, 2013

Taking the Plunge - or Dipping Your Toe - into the Fluffy IAM Cloud by Paul Dhanjal (Simeio Solutions)

In our last three posts, we’ve examined the revolution that’s occurring today in identity and access management (IAM). We looked at the business drivers behind the growth of cloud-based IAM, the shortcomings of the old, last-century IAM models, and the new opportunities that federation, identity hubs and other new cloud capabilities can provide by changing the way you interact with everyone who does business with you.

In this, our final post in the series, we’ll cover the key things you, the enterprise architect, should keep in mind when considering moving IAM to the cloud.

Invariably, what starts the consideration process is a burning business need: a compliance requirement, security vulnerability or belt-tightening edict. Many on the business side view IAM as the “silver bullet” – and for good reason. You can almost always devise a solution using some aspect of IAM.

The most critical question to ask first when using IAM to address the business need is, simply: is my solution complete? Typically, “business” is not focused on the big picture. Understandably, they’re focused instead on the need at hand: Can we be HIPAA compliant in 6 months? Can we tighten our new hire, employee transfer and termination processes? What can we do to prevent another password breach? Can we reduce our service center costs by the end of next quarter?

The business may not be focused on the complete set of services offered by IAM but rather a single aspect or two. But it is the job – indeed the duty – of the enterprise architect to ensure that all aspects are being met. It’s like remodeling a house but failing to consider the impact on the foundation, the furnace or the zoning or setback requirements. While the homeowners may not be thinking of such things, the architect, of course, must.

At Simeio Solutions, the way we ensure that all aspects are being taken into account – to expose any gaps or weaknesses – is to assess our client’s IAM capabilities against a five-step maturity model ranging from “ad hoc” to “optimized.” The model we use is similar to Capability Maturity Model Integration (CMMI) developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. It’s based upon some simple criteria, which can provide a visual representation of how well our clients fair when evaluated against four core categories:

·         Program Governance

·         Access Management (e.g., Single Sign-On)

·         Identity and Access Governance (e.g., Identity Intelligence)

·         Enterprise Security (e.g., DLP and SIEM)

Often our clients believe they have a solution with all the bases covered, but the model exposes the gaps or weaknesses. The gaps are ideal opportunities for the cloud to enter into the conversation.

The complete process is straightforward:

1.    Look at the big picture, not just the immediate need – what is our roadmap and how does this solution fit?

2.    Determine where you stand with respect to the four core areas – what are the gaps?

3.    Decide how to cover the gaps – what role can the cloud play?

Returning to our home remodeling analogy, at some point, if gaps or weaknesses are discovered when evaluating the complete impact of the proposed remodel – if the existing foundation wouldn’t support the new addition, for example – the owners need to decide if it’s time to move to a new house instead of trying to remodel the old one.

However, with IAM it’s not an either-or proposition – i.e., either move to the cloud or fix the existing infrastructure. It’s possible to use new cloud technologies just to cover the gaps.

Many of our clients start their migration to the cloud this way, dipping in their toe instead of taking the plunge all at once. Because our cloud services offering is based on the Oracle Identity and Access Management Suite, we can offer a tremendous amount of flexibility in this regard. The Oracle platform is not a collection of point solutions, but rather a complete, integrated, best-of-breed suite. Yet it’s not an all-or-nothing proposition. You can choose just the features and capabilities you need using a pay-as-you-go model, incrementally turning on and off services as needed. Better still, all the other capabilities are there, at the ready, whenever you need them.

Spooling up these cloud-only services takes just a fraction of the time it would take a typical organization to deploy internally. SLAs in the cloud may be higher than on premise, too. And by using a suite of software that’s complete and integrated, you can dramatically lower cost and complexity.

If your in-house solution cannot be migrated to the cloud, you might consider using hardware appliances such as Simeio’s Cloud Interceptor to extend your enterprise out into the network. You might also consider using Expert Managed Services. Cost is usually the key factor – not just development costs but also operational sustainment costs. Talent or resourcing issues often come into play when thinking about sustaining a program. Expert Managed Services such as those we offer at Simeio can address those concerns head on.

In a cloud offering, identity and access services lend to the new paradigms described in my previous posts. Most importantly, it allows us all to focus on what we're meant to do – provide value, lower costs and increase security to our respective organizations. It’s that magic “silver bullet” that business knew you had all along.

If you’d like to talk more, you can find us at simeiosolutions.com.

Tuesday Jun 18, 2013

The Keys to the Password Vault by Matthew Scott (aurionPro SENA)

Super user accounts are, unfortunately, a necessary evil. It’s just a fact of life in the IT industry that someone, somewhere, has to have the ability to make fundamental (and therefore potentially catastrophic!) changes to key systems.

One of my least favourite experiences as a consultant was gaining access to an account though a process that was reminiscent of a spy thriller  – the password was typed onto a card, which was cut in two, with each half stored in a separate safe and each key entrusted to a meticulous security officer. Navigating the procedures to get the halves together in time to be useful was a trial of persuasion and scheduling – I can see why Tom Cruise prefers to abseil in through the roof instead of filling in yet another form!

Compliance officers are increasingly scrutinising privileged accounts and the processes that control access to them – not surprisingly, since surveys have shown that up to a quarter of IT professionals have experienced misuse of such accounts, and almost half of all companies fail to manage these accounts in accordance with the law (http://www.computerweekly.com/news/2240111956/One-in-four-IT-security-staff-abuse-admin-rights-survey-shows). The results can be spectacular and sobering – the UBS trader Kweku Adoboli cost his company $2.3 billion after making disastrous trades using a privileged account which he was not authorised to use.

Thankfully, there is now a better way. As we’ve seen in this series, with the ESSO suite the technology exists to manage user passwords without the user having to actually ‘know’ that password. It is possible to extend this functionality to include those previously hard to manage privileged accounts by introducing Oracle Privileged Accounts Manager (OPAM). OPAM acts as a secure password vault for privileged accounts, but unlike other password vaults it can be connected directly to the ESSO Logon Manager agent so that passwords can be requested, obtained and used, all from the user’s desktop.

OPAM is particularly useful for companies with large, decentralised UNIX environments. We are currently engaged with a large financial organisation which has several hundred servers, with various distributions of Linux and UNIX that are managed by different teams. With OPAM, all those precious root accounts have for the first time been corralled together in one location, where they can be released as needed to any authorised user. OPAM is equally adept at managing identities stored in directories, including Windows service accounts within Active Directory.

To calm the fears of any compliance officers who may be reading these words nervously, it is possible to implement workflows to control the request process. This may include approvals from a higher authority, complete with email or mobile notifications to the approver. And of course ESSO and OPAM feature end-to-end audit trails – from request, to check out, to each use of the privileged account, through to check in. Tracking who has being doing what with each account has never been easier.

In addition to managing privileged accounts, the ESSO suite also allows users to distribute their personal accounts in a similar manner. Many of us have experienced the frustration of needing access to a system, a record or an email only to discover that the person with access is on holiday or otherwise unavailable. In extreme cases, this may require that the absent user’s Windows account be reset to allow another user to log on and gain access. ESSO’s Account Delegation allows these key users to pro-actively devolve their account credentials to another user for a set period – no passwords required!

Monday Jun 17, 2013

Are you registered for the "Embracing Mobility in the Workspace" Webinar yet?

Excitement is building around an upcoming webinar hosted by Oracle Partner, AmerIndia on June 27th. Arun Mehta, Sr Consultant with @AmerIndia, and Sid Mishra from Oracle, will be speaking on the subject of Mobility in the Enterprise and the implications of BYOD has on the security postures of the organization and the steps you can take to reduce your risk. 

 

Online space for this Webinar is limited, so we recomend you register ASAP at http://www.amerindia.net/webinars.php to secure your spot for this exciting event on June 27th.

 

For a preview on what you can expect to learn from this webinar, check out the editorial posted here on the OracleIDM blog last week by AmerIndia "Embracing Mobility in the Workspace" by Arun Mehta.  Arun addresses in this editorial, a segment of what he plans to cover in this Webinar. 

 

Look forward to seeing you on the 27th!

Wednesday Jun 12, 2013

Abandoning our "Last Century" IAM Models by Paul Dhanjal (Simeio Solutions)

In our previous blog, we looked at the business drivers behind the growth of cloud-based Identity and Access Management (IAM). These drivers, combined with cultural and technology trends, have made cloud-based IAM more attractive – and, frankly, more necessary – than ever.

Now that business has evolved to offer more and more interconnected and interdependent services to a wider range of users, the old models we had relied on to manage identities no longer apply. Our old identity management and security models designed for internal users simply can’t keep up with the rapidly evolving landscape. The forces that are shaping this new reality are so powerful, their momentum so great, that they now dictate the terms of how identity must be managed within an organization. The balance of power has shifted away from the IT organization and into the hands of end-users. If you are to meet their expectations, if you hope to compete and remain relevant, you must make the transition from build-your-own IAM to out-of-the-box IAM, from customization to configuration.

While there may be a big stick pushing us to make this transition, the carrots are equally compelling: lower costs, faster time to market, enhanced security, greater flexibility and, perhaps most important, the freedom to focus on the value and quality of the services you provide instead of how they’re provided.

There may be no better example of this than bring-your-own-device (BYOD). For years, IT laid down the law to prevent it. Now, fueled by the consumerization of mobile devices and tablets, BYOD has become the rule rather than the exception. It was inevitable. BYOD not only reduces strain on the organization to purchase and support such devices, it also increases employee satisfaction and productivity.

But, of course, the concerns behind the original reticence to allow BYOD remain. In fact, those concerns are magnified now that we’ve moved from uniform desktops tethered to the office to diverse mobile devices that can literally be taken – and lost  – anywhere in the world.

Here’s where out-of-the-box solutions such as Oracle Access Management Suite come to the rescue. They’re designed to enable centralized policy management for securing access to services via mobile applications, going beyond web single sign-on, authentication and authorization. Such solutions are designed from the ground up to handle the added complexity of password management and security in a mobile world, including strong authentication, real-time behavioral profiling, and device fingerprinting. Adaptive products such as those from Oracle provide a multi-faceted approach to mitigate breaches into mobile and Web Applications, all while tying into a closed loop audit process with powerful reporting and notification engines.

Another example is the growing need to manage external identities – those of partners or customers. It may be tempting to use existing capabilities designed for internal identities for this. After all, the same basic services are involved, including handling access requests, granting access, and password management. But the differences are simply too great. There are different business needs, different security concerns, different compliance requirements, even different licensing issues.

Here, too, the new cloud-based IAM models offer us a solution. Their multi-tenancy capabilities mean a single instance of software can serve multiple constituencies discretely by virtually partitioning the management of identities based on any criteria or business need.

As they say on those late night infomercials, that’s not all. The cloud model and its converging standards open the door to entirely new ways of dealing with external identities. For example, products such as Oracle Access Manager allow users to register for a site's services using their social login IDs as an authentication mechanism (using OAuth and OpenID standards). This gets the organization out of the business of managing these external identities altogether, delegating password management, user profile, account settings, etc. to a third party – Google or Facebook, for example. 

If you’re not willing to delegate these tasks, you can still leverage external identities during registration by pulling the user’s basic identity information from a trusted third-party identity provider (IDP). This approach marries the old with the new, maintaining a security perimeter for user access by ensuring audit and closed-loop certification processes are still in place, while reducing the burden on the user who no longer has to provide basic information in order to register.

Delegation is a recurring theme in new IAM models. Cloud-based IAM, for example, makes it easy to push out user administration, certification and operational request management to individual lines of business. This in turn enables you to downsize centralized call support by using delegated authorities within those business units – managers who are closer (both conceptually and physically) to the users who require access. This is done via strong workflow management, which ties into a well-governed and managed role service as well as enterprise roles and processes for mover/joiner/leaver scenarios.

Case in point: the HR systems the US government uses to provision all roles (for resources and entitlements). Users request access directly from their managers. End-dates are used to enforce de-provisioning of all granted access, even during termination. The result is end-to-end lifecycle management with delegated administration, while ensuring compliance with a centralized audit process.

In our next post, we’ll explore what identity looks like in a secure, connected world and what that means for your business.

Tuesday Jun 11, 2013

Achieving "Zero-Touch" Password Management by Steve Knott (aurionPro SENA)

Traditionally when a user is on-boarded into an organisation they are given a desktop password along with a whole host of other passwords to access the required business applications to enable them to do their job. Inevitably there will be numerous associated company information security policies that dictate that passwords should not be written down or shared with colleagues etc.

Trying to remember numerous passwords can be onerous on the end user at the best of times and can lead to a plethora of password sins committed by the end user. Whilst we can deploy some SSO technologies to relieve password fatigue, the on-boarding provisioning process often means that the user needs to know their passwords at some point – or do they?

I recently worked on a project at a leading engineering company who were in the process of deploying a large new ERP system. The end users were highly skilled engineers focusing on cutting edge technology but password security was not high on their list of priorities. Traditionally within the organisation, credentials for new applications were sent by email and sometimes they were communicated over the phone. Inevitably these were written down in text files and diaries or passwords were changed to be the same “pet’s name” type password for multiple applications.

This was a huge concern for the Chief Architect who wanted to remove end user password management and provide “zero touch” credential provisioning for the new ERP applications. He also wanted to satisfy auditing and compliance requirements by enforcing complex passwords whilst preventing unauthorised credential sharing. All this needed to be achieved without inconveniencing the users.

We discussed the tried and tested approach of using of a full blown identity management solution.  However, his response to this was that although wider identity management was on their long term roadmap, he had a hard deadline to deliver the ERP system within three months and with limited resources. With traditional user provisioning ‘out the window’ we had to come up with another approach.  Everyone would be using the new ERP system for their timesheets on the same day, and with any business impact due to unavailability therefore being potentially very significant, the customer couldn’t afford to have issues related to logging in.

One product that they already had licensed was the Oracle Enterprise Single Sign-on (ESSO) suite. Oracle ESSO is a well- known established product which provides single sign to any application at the desktop. Not so well known are the additional tools provided within the suite. One of these additional tools is Oracle ESSO Provisioning Gateway. Provisioning Gateway is a web based application that complements the other tools in the suite by enabling the provisioning of application credentials directly to the SSO agent without user interaction.

The Provisioning Gateway server exposes a web service interface that allows it to receive instructions submitted by any other provisioning server. Although Provisioning Gateway is more commonly deployed connected to an identity management system it does have command line interface (CLI) utilities supplied with the software. These utilities allow for scripted interactions with the Provision Gateway server including batch operations.

For this customer it was possible to export the user credential data out of the ERP system into a text-file format.  Then, armed only with the tools provided within the Oracle ESSO suite it was possible to script the provisioning of these user credentials in batches of 500-1000 to the Provisioning Gateway server. The server provisioned the credentials to the ESSO repository and the credentials were synchronised to the desktop SSO agent at user logon.

So far, so good.  At this stage, the users were still unaware that anything had happened.  The new ERP system wasn’t live yet, but in anticipation of its general release we now had each individual’s username and password ready to go in their SSO credential store – ready for first login.

For security reasons, the ERP system was configured to require a password change at first logon. Therefore, when the user launched the application for the first time on its launch date an application change password event was triggered. The Oracle ESSO agent was configured to recognise and respond to this change password event, automatically generating and inserting a new password leaving the user logged on with a new complex password. The end user did not know their password at any point of the on-boarding process or for subsequent logons.  Therefore the opportunity of sharing their logon details with colleagues was eliminated.  Furthermore, issues with the distribution of new passwords was avoided altogether.

The aurionPro SENA fast rollout template for Oracle ESSO enabled this customer to hit the implementation deadline of the ERP project and also address the security requirements of the organisation. ESSO Provisioning Gateway also has a management interface and this customer exploited this feature to allow the helpdesk team to apply the zero touch methodology to other applications.

As we discussed in the first blog (Putting the EASY into SSO) - Oracle ESSO provides more than just single sign-on to desktop applications.  Its use for zero-touch provisioning shows its versatility and that it can form a core part of an integrated identity and access management framework.  It’s not just a tactical tool for a single issue.  Stay tuned for next week’s blog in this series where we’ll be investigating the capabilities of Oracle ESSO still further.

Monday Jun 10, 2013

Embracing Mobility in the Workspace: Oracle API Gateway

Embracing Mobility in the Workspace using Oracle API Gateway

 

 

“In 2013, mobile devices will pass PCs to be most common Web access tools. By 2015, over 80% of handsets in mature markets will be smart phones.”

                                                                                                                                                                                                                       -Gartner Research

 

 

Across the globe, corporations are embracing the influx of mobility and the last five years have seen an expanding role of mobility in the workspace. Enterprises everywhere are coming up with innovative initiatives to support the mobility needs of personnel working for them. In addition, a variety of mobile applications and services are being offered to the workforce to make them more effective and efficient at work. Such applications and services unify different user populations within the organization, including internal workforce, partners, customers, and consumers, with the internal and external resources of the organization.

 

 

There are numerous reasons why enterprises are embracing mobility in the workspace and the chart below highlights the most important ones:

 

 

 

The devices used by the user populations are usually diverse in nature and leads to a fragmented and a disconnected landscape. As a result, IT architects and product managers of organizations are compelled to develop applications that can be ported to mobile devices of users. However, the deployed in-house applications aren’t capable of averting increasingly sophisticated identity thefts and data breaches of today.  Development and utilization of secured mobile applications is often the primary concern that bothers infrastructure & solution architects today.

 

Forrester Consulting commissioned a study on behalf of Cisco Systems in 2012 to gather information on top security concerns and compatibility issues that concern senior-level decision-makers. The chart below illustrates the results.

 

 

 

There are a lot of aspects that should be managed to effectively support mobile devices. They are:

 

·         Password and User management – Management of multiple passwords and user identities for each application

 

·         Device Management – Management of authentication and authorization of devices allowing users to access company resources securely. A high mobile device turnover by user population calls for re-registration of new devices and blacklisting/wiping-out of corporate information from older devices. Device management automates such processes in a structured manner

 

·         Application Access Management – Management of role-based access that is usually absent or is being managed locally in the application leading to unauthorized access to applications. And the local role management leads to redundant and expensive management of access to applications via roles

 

·         API Management – Management of central publishing, promoting, and monitoring of exposed APIs within a secure and scalable environment that is often missing. Many applications todays exposes web services which may not consumed by mobile devices as efficiently as possible.

 

Following section describes how the above-mentioned aspects are managed and how challenges and issues related to adoption of mobile devices are addressed by using Oracle API Gateway and a variety of other components of Oracle Access management stack.

 

·         User Management – The mentioned aspects and challenges are addressed by having a User Provisioning tool like Oracle Identity Manager (OIM). OIM streamlines user provisioning and de-provisioning, and other identity based lifecycle events in the organization. Along with that, users are also provisioned access to various target systems. Once the step of access provisioning is completed, Oracle Access Management (OAM) steps in for users who wish to access the target system by using single sign-on. The authentication can be done by binding to LDAP, but OAM brings additional advantages as it allows various policies and procedures to be defined and implemented for the users accessing target systems within the enterprise. Furthermore, access request to all resources on mobile devices are intercepted by Oracle API Gateway or OAG (deployed in DMZ) in order to enforce the policies that define the steps involved.  OAG gathers the necessary user, application, device, and network context data to enable authentication decisions and validates the gathered data using the Access Management tool as per the policies laid down.

 

However, this approach only performs user authentication and relies on Access Management tool to perform coarse grain authorization, and may not be sufficient for the detailed authorization rules defined within the application itself.

 

Please refer to the figure below for a better understanding.

 

 

 

·         Device Management – Mobile devices used by users are registered through Identity Manager as an asset and this information is provisioned to an LDAP, DB device, or an App registry. Also, Oracle API Gateway is used to perform device authentication by using the custom authentication logic it comes with. Once the device is authenticated, a device token is generated, and the same is used by mobile devices in subsequent interactions in order to fetch the desired information from the applications. This is a simple approach and can be employed to achieve the desired results in small work environments where functionalities like device profiling, blacklisting and whitelisting, knowledge based authentication, and device control is of less importance.

 

For work environments that are larger and more complex, and where the previously mentioned functionalities are important, Access Management component can be extended to include and deploy Oracle Adaptive Access Manager (OAAM) along with Mobile and Social Services components. By doing this, the desired Device Management functionality is implemented.

 

In other scenarios, device registration can also be delegated to OAAM components rather than registering it through Oracle Identity Manager against the user record. Here, mobile and social services components play a crucial role of mediating security tokens for mobile devices to access enterprise resources and cloud based applications.

 

Please refer to the figure below for a better understanding.

 

 

·         Application Access Management – The above two architectures explain how Oracle API Gateway (OAG) manages and performs user and device authentication. Oracle API gateway is Policy enforcement point for mobile devices in a similar way Web-Gates are policy enforcement for Oracle Access Management. However, the fine-grained authorization can’t be overlooked.

 

Classical approach of programming included embedding the authorization logic within the application itself, making the management and extension of application security cumbersome. And it can lead to failed audit and compliance objective requirements of certifying who has what access and at what level. This may not be acceptable in today’s world of increased scrutiny of applications and their access.

 

Fortunately, Oracle Entitlement Server (OES) comes to rescue and serves as a central policy decision/definition point where all applications can externalize authorization rules. When used with OAG, the authorization policies set by OES are enforced. In addition, the combo can also redact the data elements based on various roles of users accessing applications through mobile devices.

 

The figure below will be able to help you understand the concepts better.

 

 

 

·         API Management – Enterprises today have applications that expose web services primarily meant for either intranet use or exchanging information with business-partner applications. That paradigm has taken a major shift with the proliferation in on-boarding of mobile devices and the need to access the respective applications on these devices. Mobile devices may not be able to consume the exposed web-services as efficiently and thus, require enterprises to adopt strategies to either re-write or extend those web-services for such use-cases, or rely on Oracle API Gateway (OAG) features and functionalities.

 

OAG provides functionalities that shield these efforts and perform content transformation on the fly in order to make it adaptable for mobile device use. Oracle API Gateway provides controlled connection between APIs and applications that exposes them. OAG also allows access related metrics for any APIs managed by it. In a well laid-out architecture and implementation of OAG, enterprises can expose these services confidently with additional benefits such as Threat protection and XML Acceleration while having the same performance levels, and exceptional reporting and analytics capabilities across all services.

 

In all, mobile devices have evolved to better suit the needs of consumers but at the same time have traded of their security to ensure usability. These trade-offs increasingly contribute to security risks when such devices connect to the enterprise resources.

 

The security risks should be addressed in an effective manner to protect precious company resources and comply with increasingly strict regulations. Mobile Access management solution using Oracle API Gateway technology unifies enterprise resources and cloud-based resources across network boundaries to mobile devices. This solution assures enhanced security, regulatory compliance, improved governance, and increased productivity. 

 

Webinar

 

For more information on registration on our upcoming joint webinar with guest presenters Arun Mehta from AmerIndia, and Sid Mishra from Oracle Corporation, please go to  http://www.amerindia.net/webinars.php. Here you will be able to pre-register for this event, where we will discuss the changing face of mobile devices in today’s work environment and the risks associated with this upcoming trend. In addition, solutions available to address such risks will be described, while also highlighting solutions specific to different types of organization.

 

Author

 

 

Arun Mehta

Mobile Security Practice Leader

AmerIndia Technologies Inc.

 

Arun Mehta is Principal Solution Architect in Mobile Security, Security Solutions practice at AmerIndia Technologies Inc. In this role, Arun leads a team of specialist technical consultants and architects across North America focusing on Oracle's Security and Identity Management technology. Arun has been in the field of Security for over a decade and has experience across large and complex Identity Management projects in the North America region covering multiple industry verticals. More recently, he has been engaged on a number of projects including enterprise security platforms and mobile access management to help customers enable digital and business transformation initiatives.

  

 

 

AmerIndia Technologies Inc.

AmerIndia Technology Inc. is a full-service information security consulting firm and an Oracle Gold Partner. We specialize in security assessments, software security, mobile security, identity and access management, cloud identity management, API management, certification, regulatory compliance, and vulnerability management. AmerIndia serves clients throughout the United States.

 

Our expertise and client base spans all major verticals. Customers include Fortune 5000 companies in the financial, technology, healthcare, insurance, education and manufacturing sectors. Because of our wide range of experience and subject matter knowledge, major consulting firms also rely on AmerIndia as a trusted partner.

For more information, visit our website: www.amerindia.net

 

 

Wednesday Jun 05, 2013

The Cloud-based IAM Revolution by Paul Dhanjal (Simeio Blog Series - Ch1)

One of the most significant advancements in IT in the last few years has been the shift to cloud-based Identity and Access Management (IAM). While the word “revolution” is all-too-often used in IT, arguably it’s the right word to describe the transformation that the cloud brings to identity.

Over the next four weeks, we’ll delve into the details of this revolution, including a look at its impact on how you’ll do business, why change is needed, and what you’ll need to know to make the transition. Let’s get started by looking at the business drivers.

In just a few short years, cloud-based IAM has matured from simple portals offering single sign-on for a handful of Software-as-a-Service (SaaS) applications to sophisticated, comprehensive solutions that integrate seamlessly with virtually any directory service and application – on-premise, legacy or SaaS. They provide automated workflows for user access request submission and review, provisioning and attestation. They enable federation. And they simplify compliance with regulatory mandates.

The cloud model itself comes in a variety of flavors that provide enough flexibility to meet almost any organization’s needs, from public clouds that dramatically lower TCO through multi-tenancy to private clouds that can meet even the most stringent security and control requirements.

The drivers behind this revolution will be familiar to any CXO.

First, CXOs are facing increased pressure to reduce cost and complexity. They’re expected to follow the popular business school advice to “stick to the knitting”: focus exclusively on the core business and jettison everything else. IAM is squarely in the cross hairs, a tempting target for organizations looking to outsource services that don’t offer a clear and direct competitive advantage.

At the same time, IT is now expected to be a business enabler – to help grow the business, not just support it. This requires IT to be more flexible and nimble to meet ever-changing business demands, including the ability to quickly and easily provide employees, partners and customers with secure and role-appropriate access to a rapidly growing and evolving set of information, applications and other online resources.

User expectations, too, are rising rapidly. As users become accustomed to using more and more services online from filing their taxes to sharing their photos, they now expect the convenience of moving seamlessly between multiple services using a single set of credentials – their Facebook or Google accounts, for example.

Add to the mix the growing security, compliance and regulatory mandates tied to identity, and the challenge can seem insurmountable.

Thankfully, the cloud has offered us a clear path forward. The benefits are just as clear.

First, the cloud delivers on the promise of outsourcing: reducing capital strain and freeing the business to focus on its core competencies. It eliminates the large investment required to stand up an IAM infrastructure: the hardware costs, in many cases the software licenses, and all the configurations and integrations in between. It eliminates ongoing maintenance and upgrade costs, too.

Many cloud-based IAM solutions offer on-demand services with pay-as-you-go pricing – you get and pay for the capability when and only when you need it. They also significantly reduce operational costs so that companies have the benefit of automated IAM without the costs of implementing and maintaining an in-house IAM infrastructure.

In addition to the rise of secure and reliable ISO 27001 compliant data centers and complete, enterprise-ready solutions such as Oracle Cloud Computing, standards-based protocols have dramatically reduced the risk of making the leap to cloud-based IAM. As the saying goes, “the nice thing about standards is that there are so many to choose from.” While many of the first cloud-based IAM solutions seemed to add more to the list, today we’re seeing a real convergence toward a small set of widely adopted standards that have made implementation and integration remarkably easy, including REST-based APIs, OAuth, SAML and OpenID Connect.

While some dive in headlong, many dip their toe in the water with quick-win implementations – to address rising costs for password management by offering self-service, for example – and then progress through provisioning into a handful of core identity systems, synchronization of passwords between authoritative system, etc. This approach often allows the organization time to see that identity can be leveraged as a service for other business needs.

A large financial institution, for example, mandated that all its lines of business use a centralized in-house identity governance solution, then charged each LOB to use the service. This could be done only with a service approach to identity, which became possible once the beachhead of self-service password management had been established.

In our next post, we’ll explore the reasons why organizations must make the transition to new, cloud-based IAM models if they hope to compete in a world where business has moved online. For more information on the services and offerings at Simeio Solutions, you can learn more by going to www.simeiosolutions.com

 

Tuesday Jun 04, 2013

Putting the EASY into ESSO! by Matthew Scott (aurionPro SENA Blog Series - Ch1)

Enterprise Single Sign-On occupies an unusual position in the field of IAM. In automating the sign-on of users to their applications, it is somewhat uniquely, a client-side application. For some of our customers, the role of enterprise SSO in an IAM programme isn’t entirely clear. I’ve spoken with many security architects who view its use as somehow tantamount to cheating. Surely, they assert, if we fully integrate systems at the back-end then the need for a client component doing sign-on becomes unnecessary. Architecturally this may be true. But the realities are that users have issues with passwords right now. Enterprise single sign-on addresses problems immediately. However, it’s also much more than just a tool that signs the user on to anything from their desktop. It is a tool that can be used to solve related business problems and technical challenges just as well as it can deliver users from their credential nightmares.

In this series of four articles, we will explore how enterprise SSO can be used to deliver these additional benefits. We will cover zero touch credential provisioning, making enterprise single sign-on an integrated part of an IAM programme and the management of delegated accounts. First, however, we’ll start with an easy one… making everyone happy all at the same time!

Capturing business requirements for identity and access management projects can be an art. There are so many interested parties – technical, legal, HR, end-users, application owners to name but a few – that it’s rare to reach a speedy consensus. I was in one such meeting with a customer a while back who were trying to explore what the success criteria would be for their enterprise single sign-on initiative. Relatively straightforward, you’d think, but after five hours the customer was still going round in circles! It wasn’t until the project sponsor finally arrived at the meeting and spoke about his vision that sanity was restored. His single request? His single measure? “Make it easy for my users!” That’s all he wanted. If other benefits accrued, that was a bonus.

Oracle’s Enterprise Single Sign-non Suite Plus (Oracle ESSO) is designed to do precisely what the project sponsor wanted. It includes a number of technologies designed to relieve the pain of passwords, by reducing the number of forgotten or incorrect credentials that a user has, whilst simultaneously making it easier to provide those same credentials to users without compromising security. What’s more, these benefits can be obtained surprisingly quickly – Oracle ESSO has a very light footprint and a flexible framework approach to managing credentials for almost any application. Web, Windows, Cloud or mainframe, passwords can quickly be eliminated as a source of pain for users and IT staff alike.

Oracle ESSO takes the management of credentials away from users. It stores passwords in a secure manner so that the user cannot forget it. It manages the password lifecycle, securely updating credentials when they expire. And it streamlines the user experience – application logon is handled automatically, so the user can get to work immediately without having to fumble over the username and password.

Of course, Oracle ESSO also allows the organisation to achieve lots of other benefits if it’s implemented correctly – reduced number of calls to helpdesk, increased productivity through faster password resets and so on. But fundamentally, as a user-facing tool it has to be one that’ll gain rapid acceptance for its deployment to be heralded as a success. The additional benefits won’t appear if the users don’t adopt the new tools they’re given.

aurionPro SENA has considerable experience with the Oracle ESSO suite. In fact, we’ve got the deployment of Oracle ESSO down to a fine art. Referring back to our original customer above – speed of deployment was important. “Proof of concept in days, pilot in weeks, deployment in two months” was the mantra. All with no significant operational impact on either end-users or IT personnel. We helped the customer achieve these goals. Deploying Oracle ESSO requires a delicate balance of technical knowledge, light-touch project management and extremely well-managed engagement with the end-user community. The last element is the most important. Involving key users as early as possible when their applications are being ‘profiled’ for single sign-on helps to ensure that they buy in to the end goal. They understand how Oracle ESSO will enhance the way that they work and are keen to share this with other users. If done right, a cascade of anticipation can ripple through the user community so that, rather than fearing change as can often happen with IT projects, the users are willing the change to arrive sooner! The use of appropriate briefing tools, promotion of the new system and similar techniques can further enhance the effectiveness of the final Oracle ESSO rollout.

So, Oracle ESSO makes it easy for end-users. That’s great, that’s exactly what our customer wanted, and it’s what any user-facing application should strive to do. Deploying Oracle ESSO, when managed properly, is one of those very unusual IT projects, though. Not only does it make things easier for end-users, it also makes things easier for IT support teams, helpdesk operators, auditors and a whole range of teams within the organisation. So it’s win-win all round.

But this is just the starting point. Oracle ESSO acts as a great launch pad for customers looking to further streamline credential management, giving users a better experience whilst also improving security and providing previously unavailable audit data. Stay tuned as we demonstrate how you can unlock the potential of Oracle ESSO.

 

Tuesday May 28, 2013

See How Qualcomm Enforces Compliance with Oracle Identity Management

Qualcomm discusses the benefits of closed loop compliance remediation and other key features of Oracle’s latest Identity Management release, that enable them to meet business objectives, manage user access attestations, and enforce compliance.

Join us in watching this short video to understand how Oracle is enabling Qualcomm to meet and exceed their compliance goals with Oracle Identity Management. Click HERE to watch the video

 

Thursday May 16, 2013

Oracle On Demand Provisioning Service

The growing number of business applications and services that employees need to access makes it increasingly difficult for organizations to create and remove accounts and privileges in a timely fashion, and keep track of everything for compliance purposes. Help-desk costs related to manual account administration and password reset also prove challenging.

To learn more how Oracle can help your organization deal with these challenges by reducing costs, decreasing exposure and risk, and improving IT efficiencies through Identity Management, download our data sheet on Oracle On Demand Provisioning Service

Friday May 10, 2013

UPMC to Secure Access for 75,000 IT System Users at Midsize Hospitals with Robust Identity Management Suite

Committed to developing and delivering life-changing medicine, University of Pittsburgh Medical Center (UPMC) is a US$10 billion, integrated, global health enterprise and one of the leading health systems in the United States. UPMC operates more than 20 academic, community, and specialty hospitals and 400 outpatient sites; employs more than 3,200 physicians; and offers an array of rehabilitation, retirement, and long-term care facilities. It is also Pennsylvania’s largest employer and the first nonprofit health system to fully adopt Sarbanes-Oxley standards.

A recognized innovator in information technology, UPMC has deployed an electronic health record across its hospitals and has implemented a semantic interoperability solution to unify information from multiple systems.

UPMC had an in-house-developed identity and access management system in place for eight years. As the healthcare organization’s identity management requirements continue to evolve and become more complex, it decided to move to a commercial, off-the-shelf offering and chose Oracle Identity and Access Management Suite. The solution will provide UPMC with the scalability it requires―managing identities and access for more than 75,000 system users, which include employees, as well as contract staff and medical students on rotation in the organization. It will also deliver the flexibility UPMC requires to continue to adapt its environment to accommodate new systems and requirements.

For the full article, click HERE

For more information on how UPMC and Oracle have partnered to help smaller hospitals with identity management, check our PRESS RELEASE.  


Tuesday Mar 19, 2013

Identity Management Down Under at Victoria University

Educational institutions have a dynamic ecosystem with students, teachers and operational administration requiring significant IT and helpdesk resource investment. Victoria University in Melbourne, Australia embarked on an identity management project to automate and streamline access and authorization to the University’s systems for over 55,000 students and 3000 staff.

Check out the following video to see how the University simplified sign-on process for the students, empowered them with self service and, in the process, eliminated helpdesk overhead.

Monday Mar 18, 2013

Do You Trust Social, Mobile and Cloud?

The last decade or so there has been a complete transformation in the way we work or how we consume information. Work is no longer about geography, it is an activity. “Company resources” are not just servers and systems in your server room, these could be in a data center, in the cloud or even the employees’ smart phones, iPads, tablets and more. Users of these “company resources” could be employees with physical badges, vendors, partners or customers connecting through the social media channels as Facebook, Twitter or Pinterest. Work can happen anywhere, via any device, through any network (intranet/social media channels/internet) leveraging company resources.

And why are organizations adapting this “work anywhere, anytime” model? The reasons are plenty - to improve efficiency, bring agility, build user productivity, offer seamless user experience to its customers or to simply establish a trust relationship with the customer. Social, Mobile and Cloud (SoMoClo) together is a business opportunity, a competitive advantage that organizations are seeking. And Security is the lynchpin in this new work order. Without a secure, seamless digital experience, it all falls apart.

With each new experience, the security risk increases. Each channel presents its own security points of failure. How can my company enable social trust as a means of connecting to customers & employees? How do I accommodate dynamic workgroups and teams of people around the globe that need to be part of my value chain? Is the Bring Your Own Device (BYOD) threatening the security of my digital and intellectual property? How can I securely connect mobile devices to my enterprise without compromising security? Are my applications secure enough to be cloud ready?

The security solution, thus, needs to scale and span across all the channels, encompass the growing breadth of both the “company resources” and the user population. The solution needs to provide the foundation (a platform) that feeds uniform security policies and extends identity context to the complete digital experience.

Naresh Persaud, Director, Security and Identity Management at Oracle, discusses the IT transformation driven by SoMoClo and underscores the need for a sound security solution. Catch this brief screencast on Securing the New Digital Experience to learn how the latest advances in Oracle Identity Management and Oracle Fusion Middleware solutions are fueling the transformation that is driving innovation in IT today.

For more information on Oracle Identity Management, visit us or join the conversation on our blog, Facebook page or catch us on Twitter.

Monday Feb 04, 2013

Avea Customer Success story: webcast wrap-up

Thanks to everyone that joined us for the live webcast on January 31.

For those of you that missed it, the webcast was recorded and I will post the replay link here when it becomes available.

Webcast replay is now available here: click for replay (note: you may have to scroll down to find it)

We were not able to get to all the questions during the call, so I have retrieved the list of questions, and will send them to the Avea team to answer. 

I have also posted the slides below. 

Tuesday Jan 29, 2013

Customer Success Story: How Avea upgraded from Sun to Oracle IDM

Avea is a telecommunications company in Turkey that had a large Sun IDM implementation.  Like many Sun customers, they were planning for the future and were excited by the new features that they saw in the 11g release.

Their upgrade project covered 6300 identities for both employees and partners, 16 enterprise systems including SAP, MS AD, Exchange, Siebel CRM and Unix systems, 150 roles and access policies, 23 request and approval workflow processes, and included attestation and SOD.

This project won the Avea team the coveted Most Innovative IDM Project at Oracle OpenWorld 2012. 

Join us on Thursday, January 31 @ 10:00 am PST to hear them tell all about their project, and get your IDM questions answered by experts during live Q&A.

Click this link to register

Questions submitted during the webcast will be retweeted on #IDMTalk.

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.

Benefits/Obstacles

Bring Your Own

Corporate Provided

Pros

  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power

Cons

  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:


When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption

Virtualization

A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Wednesday Jan 09, 2013

Telenet uses Oracle Identity Management

The Company:

Founded in 1996, Telenet began as a European broadband services pioneer. Today, the company is a market leader in Belgium for residential high-speed internet, telephony, and digital television services. It serves 1.24 million digital television subscribers, 1.22 million internet customers, and 815,000 fixed telephony accounts. Telenet Solutions, the company’s business market division, offers a complete communications solutions portfolio for organizations and corporations, holding a commanding lead in the Belgian/Luxembourg business market.

Business Challenges:

  • Existing legacy identity management system required custom coding and was hard to maintain
  • Need to automate user provisioning for a dynamic workforce
  • Need to automate immediate revocation of user accounts on job changes to improve security
  • Wanted to accelerate the internal approval process for user access to business application
  • Build transparency and gain complete insight into who has access to what and when

Solution:

Telenet implemented Oracle Identity Management to centralize identity management and security operations. Leveraging Oracle Identity Manager and Oracle Identity Analytics (part of Oracle Identity Governance Suite), Telenet managed to automate user account administration, streamline user access control, optimize license management and offer insight into who had access to what business applications.

For more information on Telenet’s implementation, check out the case study and the following video.


Friday Dec 21, 2012

Webcast Replay: Securing the Cloud for Public Sector


[Read More]

Thursday Dec 20, 2012

Webcast Replay Now Available: Developing and Enforcing a BYOD Policy

Mobile Device Policy is a hot topic for IT - everyone knows they need a policy and enforcement tools, but few companies have actually created a formal policy covering employee owned devices.

Oracle and SANS teamed up to present a comprehensive look at mobile device policy: in the first segment, security expert Tony DeLaGrange presents current trends in mobile device policy based on a recent SANS survey.  In the second segment, SANS legal expert Ben Wright discusses the pros and cons of various BYOD policies from legal perspective.  And in the third segment, Oracle's own Lee Howarth presents the technology and software necessary to enforce mobile device and application access policies.

Click this link to register and listen to the replay: Webcast Registration

The presentation for this webcast is posted below.

Monday Dec 17, 2012

Partner Blog: aurionPro SENA - Mobile Application Convenience, Flexibility & Innovation Delivered

About the Writer:

Des Powley is Director of Product Management for aurionPro SENA inc. the leading global Oracle Identity and Access Management specialist delivery and product development partner.

In October 2012 aurionPro SENA announced the release of the Mobile IDM application that delivers key Identity Management functions from any mobile device.

The move towards an always on, globally interconnected world is shifting Business and Consumers alike away from traditional PC based Enterprise application access and more and more towards an ‘any device, same experience’ world. It is estimated that within five years in many developing regions of the world the PC will be obsolete, replaced entirely by cheaper mobile and tablet devices. This will give a vast amount of new entrants to the Internet their first experience of the online world, and it will only be via these newer, mobile access channels.

Designed to address this shift in working and social environments and released in October of 2012 the aurionPro SENA Mobile IDM application directly addresses this emerging market and requirement by enhancing administrators, consumers and managers Identity Management (IDM) experience by delivering a mobile application that provides rapid access to frequently used IDM services from any Mobile device.

Built on the aurionPro SENA Identity Service platform the mobile application uses Oracle’s Cloud, Mobile and Social capabilities and Oracle’s Identity Governance Suite for it’s core functions. The application has been developed using standards based API’s to ensure seamless integration with a client’s on premise IDM implementation or equally seamlessly with the aurionPro SENA Hosted Identity Service.

The solution delivers multi platform support including iOS, Android and Blackberry and provides many key features including:

Providing easy to access view all of a users own access privileges

The ability for Managers to approve and track requests

Simply raising requests for new applications, roles and entitlements through the service catalogue

This application has been designed and built with convenience and security in mind. We protect access to critical applications by enforcing PIN based authentication whilst also providing the user with mobile single sign on capability.

This is just one of the many highly innovative products and services that aurionPro SENA is developing for our clients as we continually strive to enhance the value of their investment in Oracle’s class leading 11G R2 Identity and Access Management suite.

The Mobile IDM application is a key component of our Identity Services Suite that also includes Managed, Hosted and Cloud Identity Services. The Identity Services Suite has been designed and built specifically to break the barriers to delivering Enterprise, Mobile and Social Identity Management services from the Cloud.

aurionPro SENA - Building next generation Identity Services for modern enterprises.

To view the app please visit http://youtu.be/btNgGtKxovc

For more information please contact des.powley@aurionprosena.com

Friday Dec 14, 2012

Grow Your Business with Security

Author: Kevin Moulton

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East EnterpriseSecurity Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at twitter.com/kevin_moulton, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

It happened again! There I was, reading something interesting online, and realizing that a friend might find it interesting too. I clicked on the little email link, thinking that I could easily forward this to my friend, but no! Instead, a new screen popped up where I was asked to create an account. I was expected to create a User ID and password, not to mention providing some personally identifiable information, just for the privilege of helping that website spread their word.

Of course, I didnt want to have to remember a new account and password, I didnt want to provide the requisite information, and I didnt want to waste my time. I gave up, closed the web page, and moved on to something else. I was left with a bad taste in my mouth, and my friend might never find her way to this interesting website. If you were this content provider, would this be the outcome you were looking for?

A few days later, I had a similar experience, but this one went a little differently. I was surfing the web, when I happened upon some little chotcke that I just had to have. I added it to my cart. When I went to buy the item, I was again brought to a page to create account. Groan!

But wait! On this page, I also had the option to sign in with my OpenID account, my Facebook account, my Yahoo account, or my Google Account. I have all of those! No new account to create, no new password to remember, and no personally identifiable information to be given to someone else (Ive already given it all to those other guys, after all).

In this case, the vendor was easy to deal with, and I happily completed the transaction. That pleasant experience will bring me back again.

This is where security can grow your business. Its a differentiator. Youve got to have a presence on the web, and that presence has to take into account all the smart phones everyones carrying, and the tablets that took over cyber Monday this year. If you are a company that a customer can deal with securely, and do so easily, then you are a company customers will come back to again and again.

I recently had a need to open a new bank account. Every bank has a web presence now, but they are certainly not all the same. I wanted one that I could deal with easily using my laptop, but I also wanted 2-factor authentication in case I had to login from a shared machine, and I wanted an app for my iPad. I found a bank with all three, and thats who I am doing business with.

Lets say, for example, that Im in a regular Texas Hold-em game on Friday nights, so I move a couple of hundred bucks from checking to savings on Friday afternoons. I move a similar amount each week and I do it from the same machine. The bank trusts me, and they trust my machine. Most importantly, they trust my behavior. This is adaptive authentication. There should be no reason for my bank to make this transaction difficult for me.

Now let's say that I login from a Starbucks in Uzbekistan, and I transfer $2,500. What should my bank do now? Should they stop the transaction? Should they call my home number? (My former bank did exactly this once when I was taking money out of an ATM on a business trip, when I had provided my cell phone number as my primary contact. When I asked them why they called my home number rather than my cell, they told me that their policy is to call the home number. If I'm on the road, what exactly is the use of trying to reach me at home to verify my transaction?)

But, back to Uzbekistan

Should my bank assume that I am happily at home in New Jersey, and someone is trying to hack into my account? Perhaps they think they are protecting me, but I wouldnt be very happy if I happened to be traveling on business in Central Asia.

What if my bank were to automatically analyze my behavior and calculate a risk score? Clearly, this scenario would be outside of my typical behavior, so my risk score would necessitate something more than a simple login and password. Perhaps, in this case, a one-time password to my cell phone would prove that this is not just some hacker half way around the world.

But, what if you're not a bank? Do you need this level of security? If you want to be a business that is easy to deal with while also protecting your customers, then of course you do.

You want your customers to trust you, but you also want them to enjoy doing business with you. Make it easy for them to do business with you, and theyll come back, and perhaps even Tweet about it, or Like you, and then their friends will follow.

How can Oracle help?

Oracle has the technology and expertise to help you to grown your business with security.

Oracle Adaptive Access Manager will help you to prevent fraud while making it easier for your customers to do business with you by providing the risk analysis I discussed above, step-up authentication, and much more.

Oracle Mobile and Social Access Service will help you to secure mobile access to applications by expanding on your existing back-end identity management infrastructure, and allowing your customers to transact business with you using the social media accounts they already know. You also have device fingerprinting and metrics to help you to grow your business securely.

Security is not just a cost anymore. Its a way to set your business apart. With Oracles help, you can be the business that everyones tweeting about.

Image courtesy of Flickr user shareski

Tuesday Dec 11, 2012

Webcast Tomorrow: Securing the Cloud for Public Sector

Oracle Corporation
Securing the Cloud for Public Sector

Click here, to register for the live webcast.


Dec 12 For 360 Degree View of Security in the Cloud


Cloud computing offers government organizations tremendous potential to enhance public value by helping organizations increase operational efficiency and improve service delivery. However, as organizations pursue cloud adoption to achieve the anticipated benefits a common set of questions have surfaced. “Is the cloud secure? Are all clouds equal with respect to security and compliance? Is our data safe in the cloud?”

Join us December 12th for a webcast as part of the “Secure Government Training Series” to get answers to your pressing cloud security questions and learn how to best secure your cloud environments. You will learn about a comprehensive set of security tools designed to protect every layer of an organization’s cloud architecture, from application to disk, while ensuring high levels of compliance, risk avoidance, and lower costs.

Discover how to control and monitor access, secure sensitive data, and address regulatory compliance across cloud environments by:

  • providing strong authentication, data encryption, and (privileged) user access control to ensure that information is only accessible to those who need it
  • mitigating threats across your databases and applications
  • protecting applications and information – no matter where it is – at rest, in use and in transit


For more information, access the Secure Government Resource Center or to speak with an Oracle representative, please call1.800.ORACLE1.




LIVE Webcast
Securing the Cloud for Public Sector

Date
:
Wednesday,
December 12, 2012

Time
:
2:00 p.m. ET
Visit the Secure Government Resource Center

Click here for information on enterprise security solutions that help government safeguard information, resources and networks.

ACCESS NOW

Visit the Secure Government Resource Center
Hardware and Software Engineered to Work Together
Copyright © 2012, Oracle. All rights reserved. Contact Us | Legal Notices | Privacy Statement

Thursday Dec 06, 2012

Tackling Security and Compliance Barriers with a Platform Approach to IDM: Featuring SuperValu

On October 25, 2012 ISACA and Oracle sponsored a webcast discussing how SUPERVALU has embraced the platform approach to IDM.  Scott Bonnell, Sr. Director of Product Management at Oracle, and Phil Black, Security Director for IAM at SUPERVALU discussed how a platform strategy could be used to formulate an upgrade plan for a large SUN IDM installation.

See the webcast replay here: ISACA Webcast Replay (Requires Internet Explorer or Chrome)

Some of the main points discussed in the webcast include:

  • Getting support for an upgrade project by aligning with corporate initiatives
  • How to leverage an existing IDM investment while planning for future growth
  • How SUN and Oracle IDM architectures can be used in a coexistance strategy
  • Advantages of a rationalized, modern, IDM Platform architecture


 

Tuesday Nov 20, 2012

Oracle on Oracle: Is that all?

On October 17th, I posted a short blog and a podcast interview with Chirag Andani, talking about how Oracle IT uses its own IDM products. Blog link here.

Jaime Cardoso

In response, I received a comment from reader Jaime Cardoso (jaimec@jaimec.pt) who posted:

“- You could have talked about how by deploying Oracle's Open standards base technology you were able to integrate any new system in your infrastructure in days.

- You could have talked about how by deploying federation you were enabling the business side to keep all their options open in terms of companies to buy and sell while maintaining perfect employee and customer's single view.

- You could have talked about how you are now able to cut response times to your audit and security teams into 1/10th of your former times

Instead you spent 6 minutes talking about single sign on and self provisioning? If I didn't knew your IDM offer so well I would now be wondering what its differences from Microsoft's offer was.

Sorry for not giving a positive comment here but, please your IDM suite is very good and, you simply aren't promoting it well enough”

So I decided to send Jaime a note asking him about his experience, and to get his perspective on what makes the Oracle products great. What I found out is that Jaime is a very experienced IDM Architect with several major projects under his belt.

Darin Pendergraft: Can you tell me a bit about your experience? How long have you worked in IT, and what is your IDM experience?

Jaime Cardoso: I started working in "serious" IT in 1998 when I became Netscape's technical specialist in Portugal. Netscape Portugal didn't exist so, I was working for their VAR here. Most of my work at the time was with Netscape's mail server and LDAP server.

Since that time I've been bouncing between the system's side like Sun resellers, Solaris stuff and even worked with Sun's Engineering in the making of an Hierarchical Storage Product (Sun CIS if you know it) and the application's side, mostly in LDAP and IDM.

Over the years I've been doing support, service delivery and pre-sales / architecture design of IDM solutions in most big customers in Portugal, to name a few projects:

- The first European deployment of Sun Access Manager (SAPO – Portugal Telecom)

- The identity repository of 5/5 of the Biggest Portuguese banks

- The Portuguese government federation of services project

DP: OK, in your blog response, you mentioned 3 topics:

1. Using Oracle's standards based architecture; (you) were able to integrate any new system in days: can you give an example? What systems, how long did it take, number of apps/users/accounts/roles etc.

JC: It's relatively easy to design a user management strategy for a static environment, or if you simply assume that you're an <insert vendor here> shop and all your systems will bow to that vendor's will. We've all seen that path, the use of proprietary technologies in interoperability solutions but, then reality kicks in. As an ISP I recall that I made the technical decision to use Active Directory as a central authentication system for the entire IT infrastructure. Clients, systems, apps, everything was there.

As a good part of the systems and apps were running on UNIX, then a connector became needed in order to have UNIX boxes to authenticate against AD. And, that strategy worked but, each new machine required the component to be installed, monitoring had to be made for that component and each new app had to be independently certified.

A self care user portal was an ongoing project, AD access assumes the client is inside the domain, something the ISP's customers (and UNIX boxes) weren't nor had any intention of ever being.

When the Windows 2008 rollout was done, Microsoft changed the Active Directory interface. The Windows administrators didn't have enough know-how about directories and the way systems outside the MS world behaved so, on the go live, things weren't properly tested and a general outage followed. Several hours and 1 roll back later, everything was back working.

But, the ISP still had to change all of its applications to work with the new access methods and reset the effort spent on the self service user portal. To keep with the same strategy, they would also have to trust Microsoft not to change interfaces again.

Simply by putting up an Oracle LDAP server in the middle and replicating the user info from the AD into LDAP, most of the problems went away. Even systems for which no AD connector existed had PAM in them so, integration was made at the OS level, fully supported by the OS supplier.

Sun Identity Manager already had a self care portal, combined with a user workflow so, all the clearances had to be given before the account was created or updated.

Adding a new system as a client for these authentication services was simply a new checkbox in the OS installer and, even True64 systems were, for the first time integrated also with a 5 minute work of a junior system admin.

True, all the windows clients and MS apps still went to the AD for their authentication needs so, from the start everybody knew that they weren't 100% free of migration pains but, now they had a single point of problems to look at.

If you're looking for numbers:

- 500K directory entries (users)

- 2-300 systems

After the initial setup, I personally integrated about 20 systems / apps against LDAP in 1 day while being watched by the different IT teams. The internal IT staff did the rest.

DP: 2. Using Federation allows the business to keep options open for buying and selling companies, and yet maintain a single view for both employee and customer. What do you mean by this? Can you give an example?

JC: The market is dynamic. The company that's being bought today tomorrow will be sold again. Companies that spread on different markets may see the regulator forcing a sale of part of a company due to monopoly reasons and companies that are in multiple countries have to comply with different legislations.

Our job, as IT architects, while addressing the customers and employees authentication services, is quite hard and, quite contrary. On one hand, we need to give access to all of our employees to the relevant systems, apps and resources and, we already have marketing talking with us trying to find out who's a customer of the bough company but not from ours to address.

On the other hand, we have to do that and keep in mind we may have to break up all that effort and that different countries legislation may became a problem with a full integration plan.

That's a job for user Federation. you don't want to be the one who's telling your President that he will sell that business unit without it's customer's database (making the deal worth a lot less) or that the buyer will take with him a copy of your entire customer's database. Federation enables you to start controlling permissions to users outside of your traditional authentication realm. So what if the people of that company you just bought are keeping their old logins? Do you want, because of that, to have a dedicated system for their expenses reports? And do you want to keep their sales (and pre-sales) people out of the loop in terms of your group's path?

Control the information flow, establish a Federation trust circle and give access to your apps to users that haven't (yet?) been brought into your internal login systems. You can still see your users in a unified view, you obviously control if a user has access to any particular application, either that user is in your local database or stored in a directory on the other side of the world.

DP: 3. Cut response times of audit and security teams to 1/10. Is this a real number? Can you give an example?

JC: No, I don't have any backing for this number.

One of the companies I did system Administration for has a SOX compliance policy in place (I remind you that I live in Portugal so, this definition of SOX may be somewhat different from what you're used

to) and, every time the audit team says they'll do another audit, we have to negotiate with them the size of the sample and we spend about 15 man/days gathering all the required info they ask.

I did some work with Sun's Identity auditor and, from what I've been seeing, Oracle's product is even better and, I've seen that most of the information they ask would have been provided in a few hours with the help of this tool. I do stand by what I said here but, to be honest, someone from Identity Auditor team would do a much better job than me explaining this time savings.

Jaime is right: the Oracle IDM products have a lot of business value, and Oracle IT is using them for a lot more than I was able to cover in the short podcast that I posted.

I want to thank Jaime for his comments and perspective. We want these blog posts to be informative and honest – so if you have feedback for the Oracle IDM team on any topic discussed here, please post your comments below.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today