Tuesday Mar 19, 2013

Identity Management Down Under at Victoria University

Educational institutions have a dynamic ecosystem with students, teachers and operational administration requiring significant IT and helpdesk resource investment. Victoria University in Melbourne, Australia embarked on an identity management project to automate and streamline access and authorization to the University’s systems for over 55,000 students and 3000 staff.

Check out the following video to see how the University simplified sign-on process for the students, empowered them with self service and, in the process, eliminated helpdesk overhead.

Monday Mar 18, 2013

Do You Trust Social, Mobile and Cloud?

The last decade or so there has been a complete transformation in the way we work or how we consume information. Work is no longer about geography, it is an activity. “Company resources” are not just servers and systems in your server room, these could be in a data center, in the cloud or even the employees’ smart phones, iPads, tablets and more. Users of these “company resources” could be employees with physical badges, vendors, partners or customers connecting through the social media channels as Facebook, Twitter or Pinterest. Work can happen anywhere, via any device, through any network (intranet/social media channels/internet) leveraging company resources.

And why are organizations adapting this “work anywhere, anytime” model? The reasons are plenty - to improve efficiency, bring agility, build user productivity, offer seamless user experience to its customers or to simply establish a trust relationship with the customer. Social, Mobile and Cloud (SoMoClo) together is a business opportunity, a competitive advantage that organizations are seeking. And Security is the lynchpin in this new work order. Without a secure, seamless digital experience, it all falls apart.

With each new experience, the security risk increases. Each channel presents its own security points of failure. How can my company enable social trust as a means of connecting to customers & employees? How do I accommodate dynamic workgroups and teams of people around the globe that need to be part of my value chain? Is the Bring Your Own Device (BYOD) threatening the security of my digital and intellectual property? How can I securely connect mobile devices to my enterprise without compromising security? Are my applications secure enough to be cloud ready?

The security solution, thus, needs to scale and span across all the channels, encompass the growing breadth of both the “company resources” and the user population. The solution needs to provide the foundation (a platform) that feeds uniform security policies and extends identity context to the complete digital experience.

Naresh Persaud, Director, Security and Identity Management at Oracle, discusses the IT transformation driven by SoMoClo and underscores the need for a sound security solution. Catch this brief screencast on Securing the New Digital Experience to learn how the latest advances in Oracle Identity Management and Oracle Fusion Middleware solutions are fueling the transformation that is driving innovation in IT today.

For more information on Oracle Identity Management, visit us or join the conversation on our blog, Facebook page or catch us on Twitter.

Monday Feb 04, 2013

Avea Customer Success story: webcast wrap-up

Thanks to everyone that joined us for the live webcast on January 31.

For those of you that missed it, the webcast was recorded and I will post the replay link here when it becomes available.

Webcast replay is now available here: click for replay (note: you may have to scroll down to find it)

We were not able to get to all the questions during the call, so I have retrieved the list of questions, and will send them to the Avea team to answer. 

I have also posted the slides below. 

Tuesday Jan 29, 2013

Customer Success Story: How Avea upgraded from Sun to Oracle IDM

Avea is a telecommunications company in Turkey that had a large Sun IDM implementation.  Like many Sun customers, they were planning for the future and were excited by the new features that they saw in the 11g release.

Their upgrade project covered 6300 identities for both employees and partners, 16 enterprise systems including SAP, MS AD, Exchange, Siebel CRM and Unix systems, 150 roles and access policies, 23 request and approval workflow processes, and included attestation and SOD.

This project won the Avea team the coveted Most Innovative IDM Project at Oracle OpenWorld 2012. 

Join us on Thursday, January 31 @ 10:00 am PST to hear them tell all about their project, and get your IDM questions answered by experts during live Q&A.

Click this link to register

Questions submitted during the webcast will be retweeted on #IDMTalk.

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.

Benefits/Obstacles

Bring Your Own

Corporate Provided

Pros

  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power

Cons

  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:


When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption

Virtualization

A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Wednesday Jan 09, 2013

Telenet uses Oracle Identity Management

The Company:

Founded in 1996, Telenet began as a European broadband services pioneer. Today, the company is a market leader in Belgium for residential high-speed internet, telephony, and digital television services. It serves 1.24 million digital television subscribers, 1.22 million internet customers, and 815,000 fixed telephony accounts. Telenet Solutions, the company’s business market division, offers a complete communications solutions portfolio for organizations and corporations, holding a commanding lead in the Belgian/Luxembourg business market.

Business Challenges:

  • Existing legacy identity management system required custom coding and was hard to maintain
  • Need to automate user provisioning for a dynamic workforce
  • Need to automate immediate revocation of user accounts on job changes to improve security
  • Wanted to accelerate the internal approval process for user access to business application
  • Build transparency and gain complete insight into who has access to what and when

Solution:

Telenet implemented Oracle Identity Management to centralize identity management and security operations. Leveraging Oracle Identity Manager and Oracle Identity Analytics (part of Oracle Identity Governance Suite), Telenet managed to automate user account administration, streamline user access control, optimize license management and offer insight into who had access to what business applications.

For more information on Telenet’s implementation, check out the case study and the following video.


Friday Dec 21, 2012

Webcast Replay: Securing the Cloud for Public Sector


[Read More]

Thursday Dec 20, 2012

Webcast Replay Now Available: Developing and Enforcing a BYOD Policy

Mobile Device Policy is a hot topic for IT - everyone knows they need a policy and enforcement tools, but few companies have actually created a formal policy covering employee owned devices.

Oracle and SANS teamed up to present a comprehensive look at mobile device policy: in the first segment, security expert Tony DeLaGrange presents current trends in mobile device policy based on a recent SANS survey.  In the second segment, SANS legal expert Ben Wright discusses the pros and cons of various BYOD policies from legal perspective.  And in the third segment, Oracle's own Lee Howarth presents the technology and software necessary to enforce mobile device and application access policies.

Click this link to register and listen to the replay: Webcast Registration

The presentation for this webcast is posted below.

Monday Dec 17, 2012

Partner Blog: aurionPro SENA - Mobile Application Convenience, Flexibility & Innovation Delivered

About the Writer:

Des Powley is Director of Product Management for aurionPro SENA inc. the leading global Oracle Identity and Access Management specialist delivery and product development partner.

In October 2012 aurionPro SENA announced the release of the Mobile IDM application that delivers key Identity Management functions from any mobile device.

The move towards an always on, globally interconnected world is shifting Business and Consumers alike away from traditional PC based Enterprise application access and more and more towards an ‘any device, same experience’ world. It is estimated that within five years in many developing regions of the world the PC will be obsolete, replaced entirely by cheaper mobile and tablet devices. This will give a vast amount of new entrants to the Internet their first experience of the online world, and it will only be via these newer, mobile access channels.

Designed to address this shift in working and social environments and released in October of 2012 the aurionPro SENA Mobile IDM application directly addresses this emerging market and requirement by enhancing administrators, consumers and managers Identity Management (IDM) experience by delivering a mobile application that provides rapid access to frequently used IDM services from any Mobile device.

Built on the aurionPro SENA Identity Service platform the mobile application uses Oracle’s Cloud, Mobile and Social capabilities and Oracle’s Identity Governance Suite for it’s core functions. The application has been developed using standards based API’s to ensure seamless integration with a client’s on premise IDM implementation or equally seamlessly with the aurionPro SENA Hosted Identity Service.

The solution delivers multi platform support including iOS, Android and Blackberry and provides many key features including:

Providing easy to access view all of a users own access privileges

The ability for Managers to approve and track requests

Simply raising requests for new applications, roles and entitlements through the service catalogue

This application has been designed and built with convenience and security in mind. We protect access to critical applications by enforcing PIN based authentication whilst also providing the user with mobile single sign on capability.

This is just one of the many highly innovative products and services that aurionPro SENA is developing for our clients as we continually strive to enhance the value of their investment in Oracle’s class leading 11G R2 Identity and Access Management suite.

The Mobile IDM application is a key component of our Identity Services Suite that also includes Managed, Hosted and Cloud Identity Services. The Identity Services Suite has been designed and built specifically to break the barriers to delivering Enterprise, Mobile and Social Identity Management services from the Cloud.

aurionPro SENA - Building next generation Identity Services for modern enterprises.

To view the app please visit http://youtu.be/btNgGtKxovc

For more information please contact des.powley@aurionprosena.com

Friday Dec 14, 2012

Grow Your Business with Security

Author: Kevin Moulton

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East EnterpriseSecurity Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at twitter.com/kevin_moulton, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

It happened again! There I was, reading something interesting online, and realizing that a friend might find it interesting too. I clicked on the little email link, thinking that I could easily forward this to my friend, but no! Instead, a new screen popped up where I was asked to create an account. I was expected to create a User ID and password, not to mention providing some personally identifiable information, just for the privilege of helping that website spread their word.

Of course, I didnt want to have to remember a new account and password, I didnt want to provide the requisite information, and I didnt want to waste my time. I gave up, closed the web page, and moved on to something else. I was left with a bad taste in my mouth, and my friend might never find her way to this interesting website. If you were this content provider, would this be the outcome you were looking for?

A few days later, I had a similar experience, but this one went a little differently. I was surfing the web, when I happened upon some little chotcke that I just had to have. I added it to my cart. When I went to buy the item, I was again brought to a page to create account. Groan!

But wait! On this page, I also had the option to sign in with my OpenID account, my Facebook account, my Yahoo account, or my Google Account. I have all of those! No new account to create, no new password to remember, and no personally identifiable information to be given to someone else (Ive already given it all to those other guys, after all).

In this case, the vendor was easy to deal with, and I happily completed the transaction. That pleasant experience will bring me back again.

This is where security can grow your business. Its a differentiator. Youve got to have a presence on the web, and that presence has to take into account all the smart phones everyones carrying, and the tablets that took over cyber Monday this year. If you are a company that a customer can deal with securely, and do so easily, then you are a company customers will come back to again and again.

I recently had a need to open a new bank account. Every bank has a web presence now, but they are certainly not all the same. I wanted one that I could deal with easily using my laptop, but I also wanted 2-factor authentication in case I had to login from a shared machine, and I wanted an app for my iPad. I found a bank with all three, and thats who I am doing business with.

Lets say, for example, that Im in a regular Texas Hold-em game on Friday nights, so I move a couple of hundred bucks from checking to savings on Friday afternoons. I move a similar amount each week and I do it from the same machine. The bank trusts me, and they trust my machine. Most importantly, they trust my behavior. This is adaptive authentication. There should be no reason for my bank to make this transaction difficult for me.

Now let's say that I login from a Starbucks in Uzbekistan, and I transfer $2,500. What should my bank do now? Should they stop the transaction? Should they call my home number? (My former bank did exactly this once when I was taking money out of an ATM on a business trip, when I had provided my cell phone number as my primary contact. When I asked them why they called my home number rather than my cell, they told me that their policy is to call the home number. If I'm on the road, what exactly is the use of trying to reach me at home to verify my transaction?)

But, back to Uzbekistan

Should my bank assume that I am happily at home in New Jersey, and someone is trying to hack into my account? Perhaps they think they are protecting me, but I wouldnt be very happy if I happened to be traveling on business in Central Asia.

What if my bank were to automatically analyze my behavior and calculate a risk score? Clearly, this scenario would be outside of my typical behavior, so my risk score would necessitate something more than a simple login and password. Perhaps, in this case, a one-time password to my cell phone would prove that this is not just some hacker half way around the world.

But, what if you're not a bank? Do you need this level of security? If you want to be a business that is easy to deal with while also protecting your customers, then of course you do.

You want your customers to trust you, but you also want them to enjoy doing business with you. Make it easy for them to do business with you, and theyll come back, and perhaps even Tweet about it, or Like you, and then their friends will follow.

How can Oracle help?

Oracle has the technology and expertise to help you to grown your business with security.

Oracle Adaptive Access Manager will help you to prevent fraud while making it easier for your customers to do business with you by providing the risk analysis I discussed above, step-up authentication, and much more.

Oracle Mobile and Social Access Service will help you to secure mobile access to applications by expanding on your existing back-end identity management infrastructure, and allowing your customers to transact business with you using the social media accounts they already know. You also have device fingerprinting and metrics to help you to grow your business securely.

Security is not just a cost anymore. Its a way to set your business apart. With Oracles help, you can be the business that everyones tweeting about.

Image courtesy of Flickr user shareski

Tuesday Dec 11, 2012

Webcast Tomorrow: Securing the Cloud for Public Sector

Oracle Corporation
Securing the Cloud for Public Sector

Click here, to register for the live webcast.


Dec 12 For 360 Degree View of Security in the Cloud


Cloud computing offers government organizations tremendous potential to enhance public value by helping organizations increase operational efficiency and improve service delivery. However, as organizations pursue cloud adoption to achieve the anticipated benefits a common set of questions have surfaced. “Is the cloud secure? Are all clouds equal with respect to security and compliance? Is our data safe in the cloud?”

Join us December 12th for a webcast as part of the “Secure Government Training Series” to get answers to your pressing cloud security questions and learn how to best secure your cloud environments. You will learn about a comprehensive set of security tools designed to protect every layer of an organization’s cloud architecture, from application to disk, while ensuring high levels of compliance, risk avoidance, and lower costs.

Discover how to control and monitor access, secure sensitive data, and address regulatory compliance across cloud environments by:

  • providing strong authentication, data encryption, and (privileged) user access control to ensure that information is only accessible to those who need it
  • mitigating threats across your databases and applications
  • protecting applications and information – no matter where it is – at rest, in use and in transit


For more information, access the Secure Government Resource Center or to speak with an Oracle representative, please call1.800.ORACLE1.




LIVE Webcast
Securing the Cloud for Public Sector

Date
:
Wednesday,
December 12, 2012

Time
:
2:00 p.m. ET
Visit the Secure Government Resource Center

Click here for information on enterprise security solutions that help government safeguard information, resources and networks.

ACCESS NOW

Visit the Secure Government Resource Center
Hardware and Software Engineered to Work Together
Copyright © 2012, Oracle. All rights reserved. Contact Us | Legal Notices | Privacy Statement

Thursday Dec 06, 2012

Tackling Security and Compliance Barriers with a Platform Approach to IDM: Featuring SuperValu

On October 25, 2012 ISACA and Oracle sponsored a webcast discussing how SUPERVALU has embraced the platform approach to IDM.  Scott Bonnell, Sr. Director of Product Management at Oracle, and Phil Black, Security Director for IAM at SUPERVALU discussed how a platform strategy could be used to formulate an upgrade plan for a large SUN IDM installation.

See the webcast replay here: ISACA Webcast Replay (Requires Internet Explorer or Chrome)

Some of the main points discussed in the webcast include:

  • Getting support for an upgrade project by aligning with corporate initiatives
  • How to leverage an existing IDM investment while planning for future growth
  • How SUN and Oracle IDM architectures can be used in a coexistance strategy
  • Advantages of a rationalized, modern, IDM Platform architecture


 

Tuesday Nov 20, 2012

Oracle on Oracle: Is that all?

On October 17th, I posted a short blog and a podcast interview with Chirag Andani, talking about how Oracle IT uses its own IDM products. Blog link here.

Jaime Cardoso

In response, I received a comment from reader Jaime Cardoso (jaimec@jaimec.pt) who posted:

“- You could have talked about how by deploying Oracle's Open standards base technology you were able to integrate any new system in your infrastructure in days.

- You could have talked about how by deploying federation you were enabling the business side to keep all their options open in terms of companies to buy and sell while maintaining perfect employee and customer's single view.

- You could have talked about how you are now able to cut response times to your audit and security teams into 1/10th of your former times

Instead you spent 6 minutes talking about single sign on and self provisioning? If I didn't knew your IDM offer so well I would now be wondering what its differences from Microsoft's offer was.

Sorry for not giving a positive comment here but, please your IDM suite is very good and, you simply aren't promoting it well enough”

So I decided to send Jaime a note asking him about his experience, and to get his perspective on what makes the Oracle products great. What I found out is that Jaime is a very experienced IDM Architect with several major projects under his belt.

Darin Pendergraft: Can you tell me a bit about your experience? How long have you worked in IT, and what is your IDM experience?

Jaime Cardoso: I started working in "serious" IT in 1998 when I became Netscape's technical specialist in Portugal. Netscape Portugal didn't exist so, I was working for their VAR here. Most of my work at the time was with Netscape's mail server and LDAP server.

Since that time I've been bouncing between the system's side like Sun resellers, Solaris stuff and even worked with Sun's Engineering in the making of an Hierarchical Storage Product (Sun CIS if you know it) and the application's side, mostly in LDAP and IDM.

Over the years I've been doing support, service delivery and pre-sales / architecture design of IDM solutions in most big customers in Portugal, to name a few projects:

- The first European deployment of Sun Access Manager (SAPO – Portugal Telecom)

- The identity repository of 5/5 of the Biggest Portuguese banks

- The Portuguese government federation of services project

DP: OK, in your blog response, you mentioned 3 topics:

1. Using Oracle's standards based architecture; (you) were able to integrate any new system in days: can you give an example? What systems, how long did it take, number of apps/users/accounts/roles etc.

JC: It's relatively easy to design a user management strategy for a static environment, or if you simply assume that you're an <insert vendor here> shop and all your systems will bow to that vendor's will. We've all seen that path, the use of proprietary technologies in interoperability solutions but, then reality kicks in. As an ISP I recall that I made the technical decision to use Active Directory as a central authentication system for the entire IT infrastructure. Clients, systems, apps, everything was there.

As a good part of the systems and apps were running on UNIX, then a connector became needed in order to have UNIX boxes to authenticate against AD. And, that strategy worked but, each new machine required the component to be installed, monitoring had to be made for that component and each new app had to be independently certified.

A self care user portal was an ongoing project, AD access assumes the client is inside the domain, something the ISP's customers (and UNIX boxes) weren't nor had any intention of ever being.

When the Windows 2008 rollout was done, Microsoft changed the Active Directory interface. The Windows administrators didn't have enough know-how about directories and the way systems outside the MS world behaved so, on the go live, things weren't properly tested and a general outage followed. Several hours and 1 roll back later, everything was back working.

But, the ISP still had to change all of its applications to work with the new access methods and reset the effort spent on the self service user portal. To keep with the same strategy, they would also have to trust Microsoft not to change interfaces again.

Simply by putting up an Oracle LDAP server in the middle and replicating the user info from the AD into LDAP, most of the problems went away. Even systems for which no AD connector existed had PAM in them so, integration was made at the OS level, fully supported by the OS supplier.

Sun Identity Manager already had a self care portal, combined with a user workflow so, all the clearances had to be given before the account was created or updated.

Adding a new system as a client for these authentication services was simply a new checkbox in the OS installer and, even True64 systems were, for the first time integrated also with a 5 minute work of a junior system admin.

True, all the windows clients and MS apps still went to the AD for their authentication needs so, from the start everybody knew that they weren't 100% free of migration pains but, now they had a single point of problems to look at.

If you're looking for numbers:

- 500K directory entries (users)

- 2-300 systems

After the initial setup, I personally integrated about 20 systems / apps against LDAP in 1 day while being watched by the different IT teams. The internal IT staff did the rest.

DP: 2. Using Federation allows the business to keep options open for buying and selling companies, and yet maintain a single view for both employee and customer. What do you mean by this? Can you give an example?

JC: The market is dynamic. The company that's being bought today tomorrow will be sold again. Companies that spread on different markets may see the regulator forcing a sale of part of a company due to monopoly reasons and companies that are in multiple countries have to comply with different legislations.

Our job, as IT architects, while addressing the customers and employees authentication services, is quite hard and, quite contrary. On one hand, we need to give access to all of our employees to the relevant systems, apps and resources and, we already have marketing talking with us trying to find out who's a customer of the bough company but not from ours to address.

On the other hand, we have to do that and keep in mind we may have to break up all that effort and that different countries legislation may became a problem with a full integration plan.

That's a job for user Federation. you don't want to be the one who's telling your President that he will sell that business unit without it's customer's database (making the deal worth a lot less) or that the buyer will take with him a copy of your entire customer's database. Federation enables you to start controlling permissions to users outside of your traditional authentication realm. So what if the people of that company you just bought are keeping their old logins? Do you want, because of that, to have a dedicated system for their expenses reports? And do you want to keep their sales (and pre-sales) people out of the loop in terms of your group's path?

Control the information flow, establish a Federation trust circle and give access to your apps to users that haven't (yet?) been brought into your internal login systems. You can still see your users in a unified view, you obviously control if a user has access to any particular application, either that user is in your local database or stored in a directory on the other side of the world.

DP: 3. Cut response times of audit and security teams to 1/10. Is this a real number? Can you give an example?

JC: No, I don't have any backing for this number.

One of the companies I did system Administration for has a SOX compliance policy in place (I remind you that I live in Portugal so, this definition of SOX may be somewhat different from what you're used

to) and, every time the audit team says they'll do another audit, we have to negotiate with them the size of the sample and we spend about 15 man/days gathering all the required info they ask.

I did some work with Sun's Identity auditor and, from what I've been seeing, Oracle's product is even better and, I've seen that most of the information they ask would have been provided in a few hours with the help of this tool. I do stand by what I said here but, to be honest, someone from Identity Auditor team would do a much better job than me explaining this time savings.

Jaime is right: the Oracle IDM products have a lot of business value, and Oracle IT is using them for a lot more than I was able to cover in the short podcast that I posted.

I want to thank Jaime for his comments and perspective. We want these blog posts to be informative and honest – so if you have feedback for the Oracle IDM team on any topic discussed here, please post your comments below.

Tuesday Nov 13, 2012

Developing and Enforcing a BYOD Policy

On October 23, SANS released Part 1 of their Mobile Access Policy Survey (webcast link) and Part 2 was presented on October 25th (webcast link).

Join us this Thursday, November 15th as SANS and Oracle present a follow up webcast that will review the survey findings and present guidance on how to create a mobile access policy for employee owned devices, and how to enforce it using Oracle IDM.

Click this link to register: Developing and Enforcing a BYOD Policy

This will be an excellent opportunity to get the latest updates on how organizations are handling BYOD policies and managing mobile access.

We will have 3 speakers:

Tony DeLaGrange a Security Expert from Secure Ideas will review the main findings of the SANS Mobile Access Survey

Ben Wright, a SANS instructor, attorney and technology law expert will present guidance on how to create BYOD policy

Lee Howarth from Oracle Product Managment will review IDM techology that can be used to support and enforce BYOD policies.

Join us Thursday to hear about best practices and to get your BYOD questions answered. 

Monday Oct 29, 2012

SANS Mobility Policy Survey Webcast follow up


Hello Everyone!  If you missed the SANS mobility survey webcast on October 23 - here is a link to the replay and to the slides: [Warning -  you have to register to see the replay and to get the slides]

https://www.sans.org/webcasts/byod-security-lists-policies-mobility-policy-management-survey-95429

The webcast had a lot of great information about how organizations are setting up and managing their mobile access policies.  Here are a couple of key takeaways:

1.  Who is most concerned about mobile access policy?

Security Analysts >> CISOs >> CIOs - the focus is coming from the risk and security office - so what does that mean for the IT teams?

2. How important is mobile policy?

77% said "Critical" or "Extremely Important" - so this means mobile access policies will get a lot of attention.

 3. When asked about the state of their mobile policies:

Over 35% said they didn't have a mobile access policy and another 35% said they simply ask their employees to sign a usage agreement.  So basically ~70% of the respondents were not actively managing or monitoring mobile access.

Be sure to watch the webcast replay for all of the details.

Box, Oracle and RSA were all co-sponsors of the survey and webcast and all were invited to give a brief presentation at the end.

Monday Oct 22, 2012

Free SANS Mobility Policy Survey Webcast - October 23rd @10:00 am PST

Join us for a free webcast tomorrow, October 23 @ 10:00 am PST as SANS presents the findings from their mobility policy survey.

-- Register here for Part 1: https://www.sans.org/webcasts/byod-security-lists-policies-mobility-policy-management-survey-95429

This is a great opportunity to see where companies are with respect to mobile access policies and overall mobile application management.

This first part is entitled: BYOD Wish Lists and Policies.  Part 2 will be run on October 25th and is entitled: BYOD security practices.

-- Register here for Part 2: https://www.sans.org/webcasts/byod-security-practices-2-mobility-policy-management-survey-95434

Friday Oct 19, 2012

Oracle presentations at the CIPS ICE Conference, November 5 - 7, Edmonton, Alberta, Canada

Oracle will be presenting at the CIPS ICE conference the last week of October in Calgary and the first week of November in Edmonton.

Here is a list of the presentations for Edmonton: SHAW Conference Centre

• Session Title: Identity and Access Management Integrated; Analyzing the Platform vs Point Solution Approach
• Speaker: Darin Pendergraft
• Monday, November 5th @ 10:45 AM - 12:00 PM

• Session Title: Is Your IT Security Strategy Putting Your Institution at Risk?
• Speaker: Spiros Angelopoulos
• Monday, November 5th @ 1:45 PM - 3:00 PM

Three sessions under the TRAIN: Practical Knowledge Track

• Monday, November 5th @ 10:45 AM, 1:45 PM, 3:30 PM
• Title: What's new in the Java Platform
   Presenter: Donald Smith
• Title: Java Enterprise Edition 6
   Presenter: Shaun Smith
• Title: The Road Ahead for Java SE, JavaFX and Java EE
   Presenters: Donald Smith and Shaun Smith

To learn more about the conference, and to see the other sessions go to the conference website.

Wednesday Oct 17, 2012

Oracle on Oracle: How Oracle IT uses Oracle IDM

Sometimes, the toughest customers are your own employees.  Chirag Andani runs the Product Development Security IT Group - which means that his group is responsible for internal Identity Management and Security inside Oracle.

Like a lot of large, global companies, Oracle has a complicated and dynamic IT infrastructure which continues to change as the company grows and acquires companies.

I caught up with Chirag and asked him what kinds of problems his team faces, and asked him what he thinks about Oracle IDM, and 11gR2 in particular.

Listen to the podcast interview here: podcast link and check out his presentation below.


 

Thursday Oct 11, 2012

Guest Blog: Secure your applications based on your business model, not your application architecture, by Yaldah Hakim

Today’s businesses are looking for new ways to engage their customers, embrace mobile applications, while staying in compliance, improving security and driving down costs.  For many, the solution to that problem is to host their applications with a Cloud Services provider, but concerns that a hosted application will be less secure continue to cause doubt.

Oracle is recognized by Gartner as a leader in the User Provisioning and Identity and Access Governance magic quadrants, and has helped thousands of companies worldwide to secure their enterprise applications and identities.  Now those same world class IDM capabilities are available as a managed service, both for enterprise applications, as well has Oracle hosted applications.

--- Listen to our IDM in the cloud podcast to hear Yvonne Wilson, Director of the IDM Practice in Cloud Service, explain how Oracle Managed Services provides IDM as a service ---

Selecting OracleManaged Cloud Services to deploy and manage Oracle Identity Management Services is a smart business decision for a variety of reasons.


Oracle hosted Identity Management infrastructure is deployed securely, resilient to failures, and supported by Oracle experts. In addition, Oracle  Managed Cloud Services monitors customer solutions from several perspectives to ensure they continue to work smoothly over time. Customers gain the benefit of Oracle Identity Management expertise to achieve predictable and effective results for their organization.

Customers can select Oracle to host and manage any number of Oracle IDM products as a service as well as other Oracle’s security products, providing a flexible, cost effective alternative to onsite hardware and software costs.

Security is a major concern for all organizations- making it increasingly important to partner with a company like Oracle to ensure consistency and a layered approach to security and compliance when selecting a cloud provider.  Oracle Cloud Service makes this possible for our customers by taking away the headache and complexity of managing Identity management infrastructure and other security solutions.

For more information:

http://www.oracle.com/us/solutions/cloud/managed-cloud-services/overview/index.html

Twitter-https://twitter.com/OracleCloudZone

Facebook - http://www.facebook.com/OracleCloudComputing


Thursday Sep 27, 2012

Chock-full of Identity Customers at Oracle OpenWorld

 

Oracle Openworld (OOW) 2012 kicks off this coming Sunday. Oracle OpenWorld is known to bring in Oracle customers, organizations big and small, from all over the world. And, Identity Management is no exception.

If you are looking to catch up with Oracle Identity Management customers, hear first-hand about their implementation experiences and discuss industry trends, business drivers, solutions and more at OOW, here are some sessions we recommend you attend:

Monday, October 1, 2012

CON9405: Trends in Identity Management
10:45 a.m. – 11:45 a.m., Moscone West 3003

Subject matter experts from Kaiser Permanente and SuperValu share the stage with Amit Jasuja, Snior Vice President, Oracle Identity Management and Security to discuss how the latest advances in Identity Management are helping customers address emerging requirements for securely enabling cloud, social and mobile environments.

CON9492: Simplifying your Identity Management Implementation
3:15 p.m. – 4:15 p.m., Moscone West 3008

Implementation experts from British Telecom, Kaiser Permanente and UPMC participate in a panel to discuss best practices, key strategies and lessons learned based on their own experiences. Attendees will hear first-hand what they can do to streamline and simplify their identity management implementation framework for a quick return-on-investment and maximum efficiency.

CON9444: Modernized and Complete Access Management
4:45 p.m. – 5:45 p.m., Moscone West 3008

We have come a long way from the days of web single sign-on addressing the core business requirements. Today, as technology and business evolves, organizations are seeking new capabilities like federation, token services, fine grained authorizations, web fraud prevention and strong authentication. This session will explore the emerging requirements for access management, what a complete solution is like, complemented with real-world customer case studies from ETS, Kaiser Permanente and TURKCELL and product demonstrations.

Tuesday, October 2, 2012

CON9437: Mobile Access Management
10:15 a.m. – 11:15 a.m., Moscone West 3022

With more than 5 billion mobile devices on the planet and an increasing number of users using their own devices to access corporate data and applications, securely extending identity management to mobile devices has become a hot topic. This session will feature Identity Management evangelists from companies like Intuit, NetApp and Toyota to discuss how to extend your existing identity management infrastructure and policies to securely and seamlessly enable mobile user access.

CON9491: Enhancing the End-User Experience with Oracle Identity Governance applications
11:45 a.m. – 12:45 p.m., Moscone West 3008

As organizations seek to encourage more and more user self service, business users are now primary end users for identity management installations.  Join experts from Visa and Oracle as they explore how Oracle Identity Governance solutions deliver complete identity administration and governance solutions with support for emerging requirements like cloud identities and mobile devices.

CON9447: Enabling Access for Hundreds of Millions of Users
1:15 p.m. – 2:15 p.m., Moscone West 3008

Dealing with scale problems? Looking to address identity management requirements with million or so users in mind? Then take note of Cisco’s implementation. Join this session to hear first-hand how Cisco tackled identity management and scaled their implementation to bolster security and enforce compliance.

CON9465: Next Generation Directory – Oracle Unified Directory
5:00 p.m. – 6:00 p.m., Moscone West 3008

Get the 360 degrees perspective from a solution provider, implementation services partner and the customer in this session to learn how the latest Oracle Unified Directory solutions can help you build a directory infrastructure that is optimized to support cloud, mobile and social networking and yet deliver on scale and performance.

Wednesday, October 3, 2012

CON9494: Sun2Oracle: Identity Management Platform Transformation
11:45 a.m. – 12:45 p.m., Moscone West 3008

Sun customers are actively defining strategies for how they will modernize their identity deployments. Learn how customers like Avea and SuperValu are leveraging their Sun investment, evaluating areas of expansion/improvement and building momentum.

CON9631: Entitlement-centric Access to SOA and Cloud Services
11:45 a.m. – 12:45 p.m., Marriott Marquis, Salon 7

How do you enforce that a junior trader can submit 10 trades/day, with a total value of $5M, if market volatility is low? How can hide sensitive patient information from clerical workers but make it visible to specialists as long as consent has been given or there is an emergency? How do you externalize such entitlements to allow dynamic changes without having to touch the application code? In this session, Uberether and HerbaLife take the stage with Oracle to demonstrate how you can enforce such entitlements on a service not just within your intranet but also right at the perimeter.

CON3957 - Delivering Secure Wi-Fi on the Tube as an Olympics Legacy from London 2012
11:45 a.m. – 12:45 p.m., Moscone West 3003

In this session, Virgin Media, the U.K.’s first combined provider of broadband, TV, mobile, and home phone services, shares how it is providing free secure Wi-Fi services to the London Underground, using Oracle Virtual Directory and Oracle Entitlements Server, leveraging back-end legacy systems that were never designed to be externalized. As an Olympics 2012 legacy, the Oracle architecture will form a platform to be consumed by other Virgin Media services such as video on demand.

CON9493: Identity Management and the Cloud
1:15 p.m. – 2:15 p.m., Moscone West 3008

Security is the number one barrier to cloud service adoption.  Not so for industry leading companies like SaskTel, ConAgra foods and UPMC. This session will explore how these organizations are using Oracle Identity with cloud services and how some are offering identity management as a cloud service.

CON9624: Real-Time External Authorization for Middleware, Applications, and Databases
3:30 p.m. – 4:30 p.m., Moscone West 3008

As organizations seek to grant access to broader and more diverse user populations, the importance of centrally defined and applied authorization policies become critical; both to identify who has access to what and to improve the end user experience.  This session will explore how customers are using attribute and role-based access to achieve these goals.

CON9625: Taking control of WebCenter Security
5:00 p.m. – 6:00 p.m., Moscone West 3008

Many organizations are extending WebCenter in a business to business scenario requiring secure identification and authorization of business partners and their users. Leveraging LADWP’s use case, this session will focus on how customers are leveraging, securing and providing access control to Oracle WebCenter portal and mobile solutions.

Thursday, October 4, 2012

CON9662: Securing Oracle Applications with the Oracle Enterprise Identity Management Platform
2:15 p.m. – 3:15 p.m., Moscone West 3008

Oracle Enterprise identity Management solutions are designed to secure access and simplify compliance to Oracle Applications.  Whether you are an EBS customer looking to upgrade from Oracle Single Sign-on or a Fusion Application customer seeking to leverage the Identity instance as an enterprise security platform, this session with Qualcomm and Oracle will help you understand how to get the most out of your investment.

And here’s the complete listing of all the Identity Management sessions at Oracle OpenWorld.

Wednesday Sep 26, 2012

Meet and Greet with IDM Executives at Oracle OpenWorld

Oracle’s Identity Management Team

Invites You to

Learn How to Secure The New Digital Experience

Come see how the Oracle Identity Management platform can position your company to take
advantage of the emerging business opportunities.

  • Leverage Social Identities for web authentication
  • Enable customers and employees to interact through their mobile devices
  • Deploy Self Service User Provisioning for quick role changes based on business needs

We look forward to seeing you there!

Wednesday, October 3rd 
3:30-4:30 PM  Meeting
4:30-5:30 PM  Cocktail Reception

Four Seasons Hotel

Yerba Buena Room

757 Market Street
San Francisco, CA 94103
415.633.3000
http://www.fourseasons.com/sanfrancisco/

 

RSVP Now

Copyright © 2012, Oracle and/or its affiliates. 
All rights reserved.

Contact Us | Legal Notices and Terms of Use | Privacy Statement

11gR2: BETA Customer perspective with special guest, Ravi Meduri from Kaiser Permanente

Before Oracle IDM 11gR2 launched, we had a very successful BETA program. Kaiser was one of many great companies that participated, and I caught up with Ravi Meduri, IAM Systems Engineering Manager to ask him what he thought of the new release.

Listen to our podcast interview here: podcast interview  to hear Ravi talk about scalability and high availability features in 11gR2.

Thursday Sep 20, 2012

Sun2Oracle: Upgrading from DSEE to the next generation Oracle Unified Directory - webcast follow up

Thanks to all of the guest speakers on our Sun2Oracle webcast: Steve from Hub City Media, Albert from UCLA and our own Scott Bonell.

If you missed the webcast here is a link: Webcast Replay

During the webcast, we tried to answer as many questions as we could, but there were a few that we needed a bit more time to answer.  Albert from UCLA sent me the following information:

Alternate Directory Evaluation

We were happy with Sun DSEE. OUD, based on the research we had done, was a logical continuation of DSEE.  If we moved away, it was to to go open source.

UCLA evaluated OpenLDAP, OpenDS, Red Hat's 389 Directory. We also briefly entertained Active Directory.

Ultimately, we decided to stay with OUD for the Enterprise Directory, and adopt OpenLDAP for the non-critical edge directories.

Hardware

For Enterprise Directory, UCLA runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. We run 2 of those servers at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups.

You mentioned federation, was that an important requirement for UCLA?

Yes. UCLA collaborates heavily with other higher education institutions around the country/world. We often have researchers wanting to sign into services provided by fellow higher ed institutions. We also have plenty of visiting scholars or collaborating researchers from other institutions accessing UCLA services. Higher education communities around the world have deployed Shibboleth/SAML-based federated IDM solutions to facilitate these collaborations:

http://www.incommon.org/

http://www.canarie.ca/en/caf-service/about

http://www.ukfederation.org.uk/

http://www.feide.no/om-feide

And a more comprehensive listing of federations around the world:

http://en.wikipedia.org/wiki/Shibboleth_(Internet2)#Federations

What was the net change in hardware footprint?

Not much actually. We kept the same server/network topology: 

  • two servers at our local data center, one at our remote DR data center. 
  • the servers replicate in real time via multi-master replication. 
  • 1 of the servers at our local data center serves as the primary access server serving all query traffic. The other servers serve as hot standby.
  • On our old Sun DSEE servers - we ran Red Hat Enterprise Linux AS release 4 (Nahant Update 8) - 32bit.  On the new OUD servers - Red Hat Enterprise Linux Server release 5.7 (Tikanga) - 64bit

The only changes we made during the upgrade were that we upgraded the software from DSEE 6.3, upgraded Linux, and that we bought new servers. The old servers were Dell PowerEdge 2850's. The new ones are Dell PowerEdge R710's.

What is your hardware specification for one OUD 11g server…

Can you explain the HA/DR architecture a bit more?

RAM size, CPU type, and number?

We runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. 2 of those servers run at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups. 

Our IDM architecture is highly modular. All external access to the enterprise directory run through a service layer. This layer is consists of Shibboleth, a set of data update web services and loading programs, and a number of edge directories. All service layer components can be easily configured (some automatically) to seek out the secondary directory servers when the primary goes down. We take advantage of this capability during maintenance to keep the services available.  

FYI, our servers are hosted in a tier 2.5 data center (We have tier 3-like capability for critical servers such as OUD, but we don't have that for all servers in the data center).

What was the cost of the migration?

 Because of the labor and equipment cost differences, I don't think my numbers will be all that accurate. I can say the following:

  • We engaged Hub City Media for just about 1.5 months worth of work.
  • We had one system engineer working full time on the project throughout the 4 month period. He also managed the project.
  • We had fractional support/transition coordination from our Infrastructure Services team (sys admin, operations, networking), probably about 80 hours
  • We purchased 3 of the servers described above.
  • We purchased the OUD software.

How much testing did you do? Did you do load testing?

Yes. We conducted several passes of data loading/validation tests. In addition, we ran security vulnerability scans and ran multi stress tests ranging from peak stress tests to sustained, multi-day simulations. Sorry. We can't release test result data, but I can say that OUD passed with flying colors.

We only had one engineer working on the project. Between test prep, run, and analysis, testing did take about a month.

Was the OUD Proxy used at UCLA?

No. We considered it, and might still consider it as we revise our architecture. But for the migration, we did not introduce the Proxy.

Can OUD Server and DSEE replicate each other?

Yes, but with caveats. There is no direct replication between OUD 11g and Sun DSEE 6.3. You need to place Oracle DSEE in between. In addition, there is an undisclosed cap on the replication rate. All of this may have changed since we worked on the project though. :-)

Wednesday Sep 19, 2012

Security Newsletter – September Edition is Out Now

 

The September issue of Security Inside Out Newsletter is out now. This month’s edition offers a preview of Identity Management and Security events and activities scheduled for Oracle OpenWorld. Oracle OpenWorld (OOW) 2012 will be held in San Francisco from September 30-October 4. Identity Management will have a significant presence at Oracle OpenWorld this year, complete with sessions featuring technology experts, customer panels, implementation specialists, product demonstrations and more. In addition, latest technologies will be on display at OOW demogrounds. Hands-on-Labs sessions will allow attendees to do a technology deep dive and train with technology experts.

Executive Edge @ OpenWorld also features the very successful Oracle Chief Security Officer (CSO) Summit. This year’s summit promises to be a great educational and networking forum complete with a contextual agenda and attendance from well known security executives from organizations around the globe.

This month’s edition also does a deep dive on the recently announced Oracle Privileged Account Manager (OPAM). Learn more about the product’s key capabilities, business issues the solution addresses and information on key resources. OPAM is part of Oracle’s complete and integrated Oracle Identity Governance solution set.

And if you haven’t done so yet, we recommend you subscribe to the Security Newsletter to keep up to date on Security news, events and resources.

As always, we look forward to receiving your feedback on the newsletter and what you’d like us to cover in the upcoming editions.

Tuesday Sep 18, 2012

Webcast Reminder: Implementing IDM in Healthcare, September 19th @10:00 am PST

Join me and Rex Thexton from PwC tomorrow (September 19th) as we review an IDM project that Rex and his team completed for a large healthcare organization.  Rex will talk through the IT environment and business drivers that lead to the project, and then we will go through planning, design and implementation of the Oracle Identity Management products that PwC and the customer chose to complete the project.

This will be a great opportunity to hear about the trends that are driving IT Healthcare, and to get your Identity Management questions answered.

If you haven't already registered - Register Here!


About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
8
9
10
11
12
13
14
15
16
17
18
20
21
22
23
24
25
26
27
28
29
30
31
      
Today