Wednesday Apr 16, 2014

Management and Provisioning of Mobile Devices - Dave Smith

Today we will explore provisioning and device management. These weren’t always considered to be related topics, but in a bring-your-own-device (BYOD) world, there are new relationships to consider…!

 So what is a device…? In the context of the Internet of Things, it potentially refers to anything having an IP Address, such as an automobile, refrigerator, etc. In the context of mobile security, it refers to smartphones and tablets. The mobile device is the new channel to access corporate content, applications and systems, breaking free from the traditional model of using a desktop computer or laptop to access these assets.

 It should be no surprise that from the perspective of enterprise security, “device management” means controlling the device or better yet, controlling what corporate assets can be accessed from this device. In a BYOD world, employees bring their personal mobile devices into the workplace in order to more flexibly access corporate assets. The BYOD phenomena defines not only an architecture, but also a cultural shift and quite frankly, an expectation of users that their personal devices will continue to provide the experience they are accustomed to for other mobile apps. Device management, therefore, must be carefully deployed, since it has to not only provide easy and familiar access for employees’ devices, while at the same time, must do so without sacrificing corporate security by providing limitless access to corporate assets. While on the surface device management seems to be a device-centric approach, it actually needs to be user-centric.

 So what does provisioning mean to mobile devices? Provisioning means managing access. Often this is associated with managing access to application accounts – e.g. create, update, retrieve or delete of accounts or managing the privileges or entitlements granted through these accounts. However, when considering mobile devices and device management, provisioning must also refer to managing access from the user’s device to corporate assets (content, files/shares, applications, services). So, provisioning includes both digital (e.g. accounts and access) as well as physical access (e.g. enabling network access to corporate assets). Managing someone’s access by group or role (e.g. role-based access control, RBAC) is much more scalable and less brittle than managing access on an individual user-by-user basis.

 Provisioning access can be triggered by a number of factors. One is “birth right” access, based on a new hire event. Another is driven by requests for new access (e.g. similar to online shopping, but where the cart holds new entitlements). With the introduction of mobile devices, a third example describes managing the available catalog of mobile apps that a particular person can download to his/her device, ideally based upon his/her job and role within the company.

 Closely related to provisioning is de-provisioning, which is the removal of access. Historically, de-provisioning occurs when the person leaves the company or when they change jobs and no longer need access. In a BYOD world, de-provisioning must extend to the mobile apps running on the person’s enabled devices. Furthermore, given the fact that mobile devices can be more easily lost or stolen, mobile device management dictates that access has to be de-provisioned or blocked from the device, when the device itself has been compromised.

 In the next blog, we will take a look into the concept of “secure containers”, which are provisioned to the device as a key component to a successful BYOD strategy.

Wednesday Apr 02, 2014

Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements - by Matt Flynn

Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.

Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.

In the MDM model, employees relinquished control of their devices to their employer. Big brother knew what was installed, how the devices were used, what data was on the device, and MDM gave organizations full control to wipe device data at-will. As a result, many people chose to carry two devices; one for personal use and the other for work. As device manufacturers dramatically improved products every six months, people quickly began using personal devices as the primary communication mechanism and work devices as-needed to perform certain tasks. It also drove people to insecurely send work data to personal devices for convenience increasing the risk of data loss. For these reasons and with the upswing of BYOD, MDM has been relegated to playing a supporting role in Enterprise Mobile Security.

Mobile Application Management (MAM) has emerged as a better alternative to MDM in the world of BYOD. MAM solutions create a secure mechanism for employees to interact with corporate data and apps without infringing upon personal apps and data. With MAM, organizations can control application and data access, how data is used on mobile devices, and to enable new mobile access scenarios without compromising security. MAM embraces the BYOD movement and encourages employee mobility while also locking down data, reducing exposure, and responding more efficiently to compliance mandates about how data is used. But MAM isn’t the end of the story.

Mobile access isn’t much different than other types of access. It’s just another access point that should be part of an Enterprise Access Management approach. Securing access via mobile devices shouldn’t require an entirely separate technology silo, another set of management interfaces, and yet another point of integration for corporate Access Governance. Also, most MAM solutions fall short on a variety of use-cases. By rationalizing MAM into an enterprise Access Management approach, organizations gain extremely valuable capabilities that are otherwise unavailable in MAM solutions alone.

For example, MAM-type on-device virtual workspace approaches don’t work very well in B2C scenarios where apps are delivered via well-known public app stores. Nor do they make sense from a user experience perspective in those scenarios. Also, for advanced Access Management scenarios such as risk-based transaction authorization, integrating basic app security with back-end adaptive access solutions provides extremely compelling benefits. With apps looking to leverage modern protocols such as REST to access legacy system data, there are benefit from Access Management infrastructure such as API Gateways that provide those services. Providing support for these advanced scenarios in a solution that provides a single point of management, single infrastructure, and unified audit trail is where Mobile security is heading.

Next generation mobile security solutions will see MDM and MAM features integrated into more traditional and enterprise-centric Access Management solutions. This single platform approach simplifies management, reduces cost, and enables an improved user experience. But more importantly, incorporating the capabilities of a robust Access Management platform opens new avenues through which to do business and engage with customers, partners, and the extended community. Oracle has a focus on providing exactly this kind of integrated and consolidated approach to securing the mobile platform through securing the device, applications and the access with the Oracle Mobile Security Suite.

In our next post in this series, we’ll look at the various deployment phases through which cloud technologies are being adopted by increasingly mobile workforces starting with cloud-based file sharing services.

Wednesday Mar 26, 2014

Multi Channel Architecture & Securing The Mobile Channel - by Ricardo Diaz

This brand NEW series from Oracle's Global Sales Support team will be dive into mobile security risks, dissect MDM, MAM and changes in the wind, device management, fraud, secure containers, extending IdM to mobile, application development and much more.

Multi-Channel Architecture (MCA) projects are trans-formative business trends brought on by I.T. modernization initiatives across industries.  As these customer, partner, vendor or employee channel's technology evolve to meet today's new business opportunities, security and privacy risks have never been greater.  Especially, the Mobile Channel.         


Let's look at one of my favorite industry's multi-channel architectures, BANKING, and why securing the mobile channel is a quickly becoming a priority for businesses globally.

A banks channels, ATM, Branches, Online, IVR, POS, PSE and Mobile, all need air tight information protection policy and rock solid security/privacy controls.  The Mobile channel on the surface, looms as the 800 pound gorilla in the room with many bank enterprise security architects because mobile security, to many, is so new.  In reality, with he right technology partner it doesn’t have to be. 

One of interesting and risky trend I noticed  working with Colombia, Mexico and Australia banks and their MCA projects is where the mobile application development group sits in the enterprise org.  These critical development teams were sitting outside of I.T. !  NO governance.  Weak security.  They did this to speed the development process of their apps.  I get it but this is a good example of what probably is more common than you'd think when it comes to the risks of mobile application development.   So is bringing these development teams under the I.T. umbrella going to secure their apps?  Not necessarily but his type of security challenge highlights the need for not just a good mobile security solution but one that isn't bound by organizational or political barriers.  All these MCA Banking projects had this challenge as a key business driver for a robust secure mobile channel.  Take a look INSIDE your organization.   Is security ubiquitous within your mobile business channel? Are short cuts being taken to speed up development and meet business demand?  Can you extend your enterprise security policy to these mobile devices if these apps were not built to your corporate enterprise architecture or security standard?

In the next GSS blog, we will highlight how the MDM/MAM space has evolved and why these technologies are part of the mobile security answer but not the final answer.

Wednesday Feb 26, 2014

Announcing Oracle Mobile Security Suite: Secure Deployment of Applications and Access for Mobile

Today, Oracle has announced a new offering, Oracle Mobile Security Suite, which will provide access to sensitive applications and data on personal or corporate owned devices.  This new offering will give enterprises unparalleled capabilities in how they contain, control and enhance the mobile experience.


A great deal of effort has been placed into analyzing how corporations are leveraging the mobile platform today, as well as how they will use this platform in the future. Corporate IT has spoken loud and clear of the challenges they face around lengthy provisioning times for access to applications and services, as well as the need for managing the increased usage of applications.  Recent industry reports show how significant the risks can be.  1 A detailed assessment of one of the most popular application marketplaces shows that 100% of the top 100 paid apps have some form of rogue variant posted within the same marketplace. As credential theft is on the rise, one of the targets this is being achieved is on the mobile device with rogue apps or Malware with embedded keystroke recorders or collection tools that send back other critical data from the device.

One of the great new features of the Oracle Mobile Security Suite (OMSS)  is through the use of containers.  Containers allow OMSS to create a secure workspace within the device, where corporate applications, email, data and more can reside. This workspace utilizes its own secure communications back to the back end cloud or corporate systems, independent of VPN.  This means that corporate information is maintained and managed separate of the personal content on the device giving end users the added flexibility of using personal devices without impacting the corporate workspace.  Remote wipe of data now doesn't impact the entire device, rather, only the contents of the corporate workspace.  New policies and changes in access and applications can be applied whenever a user authenticates into their workspace, without having to rebuild or re-wrap any applications in the process, unlike other offerings.  This is a very unique approach for Oracle.

More details on this new release at  http://www.oracle.com/us/corporate/press/2157116

Rounding out this offering, are capabilities that enable the complete end to end provisioning of access, Single Sign-on within the container, enterprise app store and much more.  

Technical Whitepaper: Extending Enterprise Access and Governance with Oracle Mobile Security

For the latest information on Oracle's Mobile Strategy, please visit the Oracle Mobile Security Suite product page, or check back for upcoming Mobile Security postings on the Oracle IDM blog page this March. 

1 2013 X-Force Internet Threat Report


Tuesday Dec 31, 2013

MDM + Oracle Fusion in the Cloud - Simeio Solutions

Introduction
In the previous posts in this series of blog posts, we covered many concepts, from Mobile Device Enablement, BYOD, Mobile Device Management (MDM), Mobile Application Containerization & Mobile Identity Management. While the focus on all the prior series were around the pro’s and con’s and best practices, we would like to take a detour in the conclusive post of this series and focus on  the cloud and how it co-relates to the “mobile” landscape.

BYOD, MDM and Cloud Computing by themselves are technologies that are becoming an integral part of the IT landscape at a rapid pace. While organizations have invested in infrastructures that allow their employees to work remotely via technologies like VPN, the technology stack in the advent of the MDM / BYOD age needs to extend to allowing for remote access via these mobile devices too.

Cloud Computing
In the information era, innovative concepts come along and emerge as a new trend. Not all trends are made equal. Cloud Computing is one such term that has not just emerged as a trend, but has enabled technology to take a leap forward in terms of  scale and usability. It has taken a quantum leap forward in terms of ambition. As with most technologies, there are many benefits that can be gained, but along with understanding the benefits, the business risks must also be evaluated.  While evaluating such benefits, it’s important to not just look at the short term benefits but also the long term objectives and goals of an organizations strategy.

What Is Cloud Computing
The definition of the term is just one of many that we have been introduced with in the industry. But what does it actually mean? Let’s take a brief look at a few definitions of the term:

Wikipedia: “Cloud computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network such as the Internet”

NIST: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared  pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released  with minimal management effort or service provider interaction”.

Merriam-Webster: “The practice of storing regularly used computer data on multiple servers that can be accessed through the Internet”.

For Dummies : “The “cloud” in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service”.

Before we provide you any more references to confuse you further, let’s take a pause here. We cited the top 3 sources of references. And each have their own variation of the definition. So which definition is more apt? Do they all mean something different or do they all mean the same? The short answer is, they are all the same. Any which way you read it, it translates to “cloud computing” being a model. A model that has certain characteristics.

The characteristics of a cloud network essentially are it being an on demand service, ability to scale to exponential proportions at a rapid pace, the ability to aggregate and resources from across multiple platforms and the ability of it being measurable.

The four fundamental deployment models of a cloud service are a public cloud, a private cloud and a hybrid cloud. Where the terms public private by themselves are indicative of its use, and the term hybrid as it’s itself definition goes is an amalgamation of the 2 models.

BYOD in the Cloud:
BYOD’s success is equivalently proportional to the variety of devices and platforms that it introduces to the IT systems. For organizations that are proponents of the BYOD ideology, the key factor that determines the ease of onboarding of users onto the corporate network is the use of Virtual Private Networking (VPN) technology. Enabling users to tunnel into the network via VPN allows organizations to enable their user to access files and/or control the applications on local machines that they require for their daily routines regardless of the platform or device they are using or their location as long as they are connected to the cloud.

Therefore, it is imperative that cloud connectivity plays an important role in enabling such access across platform or device agnostic systems.  BYOD needs to be part of a wider, holistic approach to Cloud computing.

Now take into account the general Cloud options. The problem with this is that you can lose control of the data while not losing responsibility for it. You don’t even know where it is. At a technical level, this might not be important; however at a legal and regulative level it definitely is. Moreover, your only ultimate control over your own data is your contract with the Cloud provider - and if the provider fails, contracts are no substitute for data.

The BYOD concept is evolving very quickly and the changes are influencing "how enterprises have adopted this technology" vary considerably. They are forcing IT section chiefs to think more intrusively and acquire tools to control this situation without restricting the end user experience. MDM or Mobile Device Management is one such very handy tool but as BYOD concept continues to spread, businesses would require many other services in integration with MDM. Two of such services are Mobile Device Management (MDM) and Content Management.

MDM in the Cloud:
Cloud based device management doesn't minimize application or operating system bloat but what it does do is leverage the Internet's bandwidth for delivery, monitoring and metering. If an organization is geographically dispersed and diverse, cloud based MDM becomes a necessity rather than a requirement. A smart way to setup a cloud based MDM solution is to place the organizations asset management system in the cloud and allow the processes to take place via user's personal bandwidth. It's kind of an extension of BYOD but in this case it's BYOB, where the "B" is bandwidth.

By using an employee's personal bandwidth for that "last mile" leg of the delivery process, the corporate network's bandwidth, even on a segregated network, remains available for monitoring, operating system delivery, server patching, administration, and other required maintenance activities.

Cloud-based MDM will be most effective with user devices, which will always outnumber data centered ones. User devices burn up the bandwidth due to the sheer numbers of them.

When we refer to MDM in the cloud, a key issue that pops into mind is “security”. Arguably the greatest challenge faced by organizations embracing BYOD is that of security; ensuring that personal devices aren't compromised in themselves and don't pose a security threat to the rest of the network. Allowing BYODs introduces many more vulnerabilities at various steps in the network and so there are many ways in which these risks can and need to be addressed.

The first step is to reduce the risk of the personal device being compromised in the first place. This is particularly pertinent where employees are bringing their own device in to connect to the businesses LAN. To achieve this, some organizations have conditions of use which require that the user's device has specific anti-virus and management software installed before it can be allowed onto the network. However, the risks can also be reduced by ensuring that personal devices are only allowed to connect to the local network via a VPN rather than a direct connection, even when the user is on site.

Using a VPN is a must for users in remote locations as the secure tunnel of a VPN prevents any information being intercepted in transit. It can be tempting for employees working off-site (or even on site) on personal devices to email documents, for example, backwards and forwards but the security of such communications can never be guaranteed.

What's more that approach requires that at least some work data is stored locally on the personal device - a cardinal sin in terms of data protection. Again both VPNs and cloud solutions can negate the need to store local data. Using a VPN will allow the worker to operate on the local network, accessing, working on and storing everything they need on there, rather than on their own device. Secure cloud services on the other hand can be used to provide collaborative workspaces where users perform all their work in the cloud so that colleagues, wherever they are, can access it. However care should be taken to check the security measures used by cloud providers before signing up to such services whilst the user must also ensure that someone who misappropriates a device can't then easily access their cloud account (through lack of device security and stored passwords etc).

Since MDM itself is a relatively new concept there is disparity in opinion regarding the implementation of a cloud based system. While most organizations prefer a cloud based solution, others are not willing to let go of a very recent transition made from traditional networks to MDM. Some however have opted for a hybrid solution where data processing is done on servers A purely cloud based solution however is more beneficial to the requirements of companies especially if they're on a small scale.

  1. Setup Time : The setup time for a cloud based system is very little. This is because the data is ultimately on a cloud and the creation of a system which gives access to multiple devices can be easily done.
  2. Setup Cost : Budget constraints are common problems faced by small companies. The BYOD automatically removes the strain of providing devices to employees whereas cloud systems enable mobile device management without the need of spending money on technical equipment such as server machines, cables, power outlets and switches.
  3. Maintenance : Regular maintenance of the server will be unnecessary. If the software has the latest updates and is working properly, chances are the server is providing optimal performance as well.
  4. Costs : One of the most appealing features of MDM is the low initial cost of set up. What is overlooked however is that the running or operating costs of the cloud systems are reasonable as well. Payment is done simply on usage basis and according to the number of devices connected to the cloud system.
  5. Ease Of Access : The cloud may be accessed from any locations which means that workers in remote locations will be able to work from home or other locations.

Oracle Fusion Middleware:

Cloud computing may appear to be spreading like wildfire with both enterprise and personal users jumping at the chance to take advantage of the cost effectiveness, scalability and flexibility that it offers. However, there is a strong debate amongst industry experts, and beyond, as to whether this uptake, however rapid, has been severely tempered by a lack of trust and understanding around cloud services from prospective clients.

Many propose that, as has been the case in many markets that have preceded cloud computing, the answer to client wariness is standardization with the aim of delivering transparencies. In other words, create a market where a client can shop between multiple providers and judge their security levels, data handling, performance and service stability on comparable metrics.

Oracle Fusion middleware does just that. It’s based on standards and enabled organizations to standardize their platform offerings.

Oracle Fusion middleware enables you to secure mobile (native and Web) applications with Oracle Access Management. This includes authenticating users with existing credentials; enabling two-factor authentication; and using mobile authentication to enable secure Web services and REST APIs, REST-to-SOAP transformation, and identity propagation.

Version 11.1.1.8 of the latest release of Oracle WebCenter Sites provides an integrated mobile Web solution that enables business users to author, edit, and preview content for different groups of mobile devices—all from within the same interface that is used to manage their main Website. Oracle WebCenter Framework is an Oracle JDeveloper design-time extension that breaks down the boundaries between Web-based portals and enterprise applications. It also provides the runtime portal and Web 2.0 framework on which all Oracle WebCenter technology runs.

The Best of Breed
With Oracle Fusion middleware, you gain access to the best of breed in technology platforms and tools that would not just enable your organizations BYOD program to sprint forward but would enable to enhance the service delivery model by providing your organization with the core tools and technology that would not just power your BYOD and MDM strategy but also enable you to leverage the exact same platform for your enterprise wide security strategy.

If you’d like to talk more, you can find us at simeiosolutions.com











Wednesday Dec 11, 2013

Facilitating Secure BYOD: Deep Dive - Simeio Solutions

In our first post, we explored BYOD, its imminent challenges and tool sets which one can employ to overcome these hurdles. The second post gave you peek into Mobile Device Management (MDM) and the set of problems it alleviates.

In this post, I will briefly introduce you to a relatively lesser know Mobile Security term known as 'App Containerization'. Then we will continue to explore the Oracle Access Mobile and Social product offerings. This time, the emphasis would be on 'How' OAMMS facilitates a secure mobile experience and help you gain insight into what really happens behind the scenes.

Mobile Application Containerization: What does it really mean?
As the name clearly indicates, it is a mobile 'application' level security mechanism as opposed to 'device' level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. Application Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the enterprise/official business applications.

How is it different from Mobile Device Management?
Mobile Device Management (MDM), empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc. It is an indispensable tool for corporations. However, from an end user perspective, MDM brings to fore, concerns such as

Employee privacy invasion - Why should the organization have ACCESS to my personal photos, emails etc?

Employee personal data sustainability concerns - What if my company wipes out ALL of my personal data on my device in order to reduce risk for couple of corporate applications?

All that matters is to keep enterprise data secure, not to intrude user's privacy.

'Containerization' is a technique which can help organizations combine the best of both worlds. It is categorized under the 'Mobile Application Management' (MAM) domain.  This is a new generation mobile security technology which ensures tight reign over corporate data on mobile devices without being too intrusive for the end user. Personal and Containerized applications can coexist on the mobile device, but each containerized application's data stays within the confines of its own 'container'. Communication to corporate servers or other 'containerized' applications are completely 'secure'.

App Containerization Fundamentals and Strategies

  • Works on the concept of 'Sand-boxing' the application execution.
  • Provides a secure run-time container for each managed application and its data.
  • Clearly segregates personal and corporate applications and associated data irrespective of the device.

Few of the techniques which are employed for application containerization have been listed below

Application Wrapping
This strategy involves processing the application via the 'App Wrapping' tool and creating a security wrapper around it. This process does not require any additional 'coding'.

Customized Code Based Integration
Specific Software Development Kits (SDKs) can be leveraged in order to 'code' the functionalities which cannot be delivered via 'Application Wrapping', Mobile application developers can use APIs in the SDK to weave the capabilities of the mobile security platform within the applications.

Dual Persona
This is a containerization technique wherein corporate and personal applications are installed under separate areas which are abstracted as 'personas'

Encrypted Space
Applications and data may be kept within the confines of an encrypted space, or folder.

A comprehensive App Containerization strategy combined with device level protection can go a long way in providing end-to-end mobile security.

Where does Oracle come into the picture?
Through its recent acquisition of Bitzer Mobile, Oracle's rich portfolio of mobile security offerings has been further strengthened.  Oracle can help organizations with comprehensive solutions in order to manage the security of enterprise data held on employee's mobile devices.

Why Containerize Your Apps?
Containerization  improves user experience and productivity as well as ensures enterprise safety and compliance by,

  • Enabling secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other.
  • Restricting a user’s ability to access, copy, paste or edit data held within the application container.
  • Enforcing security policies that govern access to the containerized data
  • Allowing employees to switch between personal and corporate applications seamlessly, without risk of compromising company information.


Let us pick up the thread from the very first post of this series, and take a deep dive into the Oracle Access Manger Mobile and Social product offerings.

Oracle Mobile and Social Feature Set

OAMSS features can be broadly categorized into the following

Mobile Services
Mobile Services segment of the OAMMS connect mobile devices and applications to existing IDAM services and components and enables organizations to reap full benefit of its existing IAM investments
Salient features of 'Mobile Services' are as follows

Authentication
Under the hood, the basic Authentication process is powered by Oracle Access Manager.  A typical use case encapsulates the following set of events

  • The user launches the mobile application on his device which the him to the Mobile SSO Agent.
  • Assuming that the device is already registered, the Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server for validation.
  • Mobile and Social Server responds with a User Token as a result of the above process and this token is further utilized by the calling mobile application to request for an Access Token.
  • After fulfillment of Access Token by the Mobile and Social server, the business mobile application can leverage this token to make calls to the resources/enterprise applications protected by Oracle Access Manager or Oracle Enterprise Gateway.


OAMMS Authentication Process

Authorization
The Authorization is taken care of by Oracle Entitlements Server (OES) which is driven by policy-based configurations. OES manages authorization for mobile devices and application with the help of 'mobile device context' which is nothing but a type of 'Identity Context' attribute.

Identity Context is made up of attributes known to the multiple identity and access management components involved in a transaction and it is shared across Oracle’s identity and access management components

Single Sign On
With SSO in place, user can multiple mobile applications on the same device without having to provide credentials for each application. Mobile SSO can be leveraged by both native and browser-based applications. A mobile application installed on the mobile device needs to be designated as a mobile SSO agent in order for mobile bases SSO to work.

  • The Mobile SSO agent application acts as a mediator between the Mobile and Social server and the other applications on the device that need to authenticate with the back end identity services.
  • It orchestrates and manages device registration, risk based authentication.
  • Ensures that the user credentials are never exposed to the mobile business application.
  • It can time-out idle sessions, manage global logout for all applications, and help in selective device wipe outs.

Device Registration
Oracle Adaptive Access Manager (OAAM) policies are executed by the OAAM Mobile Security Handler Plug-in.

  • The OAAM Security Handler Plug-in creates two security handles
    • oaam.device handle, which represents the mobile device
    • oaam.session handle, which represents an OAAM login session for a client application
  • The above mentioned 'handles' drive the 'device registration' process
  • OAAM policies can be configures to force device registration process to require Knowledge Based Authentication (KBA) or One Time Password (OTP)

Oracle Mobile and Social leverages adaptive security measures such as OTP by delegating to specialized components such as Oracle Adaptive Access Manager (OAAM)

Lost or Stolen Device Management
The Mobile and Social service works hand in hand with OAAM and counters these risks by providing a way to tag a device as lost or stolen and then implement policies that are designed to be invoked when a compromised device tries to gain access to sensitive resources via the mobile applications.

  • If the device has been reported lost or stolen, OAAM can be configured to challenge a user before providing access to the mobile applications and its associated data.
  • OAAM policies can also be designed to wipe out the device data if the device attempts to communicate with the Mobile and Social server after being reported lost or stolen.
  • OAAM policies can be configured to protect against 'Jailbroken' devices and wipe out the data. Mobile and Social service needs to be configured with jailbreak detection on.
Internet Identity Services
Internet Identity Services allow Oracle Mobile and Social to act as a relying party and leverages authentication and authorization services from cloud providers. Mobile applications can consume Social Identities securely and customers to federate easily with social networking sites

These services benefit the end users as well as the developers

User centric - The users are presented with convenient multiple log-in options and can use their existing credentials from cloud-based identity services to log in to mobile applications.

Rich OOTB support - Currently, OAMMS supports major Social Identity Providers such as Facebook, Google, LinkedIn, Twitter, Yahoo, Foursquare and Windows Live

Extensible - Developers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment.



Oracle Mobile and Social services can be easily extended to support other service providers, thanks to its flexible architecture based on 'Open' standards such as OAuth and OpenID

End to end flow wherein Identity Services are used in conjunction with OAM (for authentication)
  • A protected application is accessed by the user which in turn is intercepted the WebGate.
  • The Mobile and Social server presents a login page to the user after OAM analyses the authentication policies applicable to the resource.
  • The login page presents a menu of Social Identity Providers (e.g. Facebook) and the user is redirected to the login page for the selected Social Identity Provider
  • The user types a user name and password into the Social Identity Provider's login page which is validated by the Identity Provider redirects the control back to the Mobile and Social server.
  • The Mobile and Social server further processes the Identity assertions supplied by the Identity Provider and after retrieving user identity information, redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes.
  • Access Manager creates a user session and redirects the user to the protected resource


User Profile Services
User Profile Services allows mobile applications to perform a variety of LDAP compliant directory server tasks.

  • Directory administrative tools can be created wherein an authorized administrator can invoke CRUD operations on users and groups, manage passwords and entities like managers etc.
  • Corporate or community white pages are another common application using User Profile services.
  • These services are inherently secure and protected by either an OAM token or a JSON Web Token (JWT), and they can also require device and application registration
  • OOTB support for seamless integration with popular LDAP compliant directory servers such as Oracle Directory Server, Oracle Internet Directory, Oracle Virtual Directory, Active Directory etc

SDKs and REST APIs
SDKs help developers embed identity security features into mobile applications and promote usage of existing identity infrastructure services.

  • They promote ease of development of mobile applications by serving as a security layer and driving features like authentication, authorization, user profile services and secure storage.
  • The SDKs also serve as an 'abstraction layer' which allows system administrators to add, modify, and remove identity and access management services without having to update mobile applications installed by the user.
  • OAMMS provides dedicated APIs for each of its feature categories, namely, Mobile, Internet Identity and User Profile services

Oracle Mobile and Social Services provides separate client software development kits (SDKs) for Apple’s iOS and Google’s Android.

The SDK functionalities are segregated into four distinct modules

  • Authentication Module - Processes authentication requests on behalf of users, devices, and applications.
  • User Role Module - Provides User Profile Services that allow users and applications to get User and Group details from a configured Identity store.
  • REST Handler Module - Provides access to REST web services and automatic injection of tokens for Access Manager protected REST web services.
  • Cryptography Module - Provides simplified APIs to perform cryptography tasks like hashing, encryption, and decryption.
  • Secure Storage Module - Provides APIs to store and retrieve sensitive data using the preferences storage of Android.


Generic REST API
Oracle Mobile and Social Services exposes its functionality through a consistent REST interface thus enabling any device capable of HTTP communication to send REST calls to the Mobile and Social server. These can be leveraged when it is not possible for to utilize the SDKs directly for communicating with the Mobile And Social backend components.

API Security
Oracle API Gateway (OAG) acts as a filtration layer for inbound for REST calls into the Mobile and Social server. It integrates seamlessly with OAM and OES to provide authentication and access control.

In the Mobile and Social solution context, OAG provides services such as

  • Validating JSON Web Tokens (JWT) embedded within REST calls
  • Mapping of XML to JSON for consumption by mobile devices
  • Validation of HTTP parameters, REST query and POST parameters, XML and JSON schemas
  • Protection against Denial of Service (DoS), SQL injection, and cross-site scripting attacks.
  • Auditing and logging web API usage tracking for each mobile client.

OAG and OES leverage their individual capabilities to provide context-aware authorization of mobile business transactions, authorization for REST APIs, and selective data redaction in the response payload.
Sequence of steps involved in OES powered authorization and 'redaction' process

  • A mobile application request which is intercepted  by OAG delegates authentication to OAM.
  • OAG leverages an integration adapter called OES Java Security Service Module (SSM). to interact with OES to authorize the request.
  • After successful authentication and authorization, the user  is granted access to requested resource (business application).
  • Further authorization is driven by OES based on configured policies and it might end up in 'redaction' of some confidential information from the response.
  • OES thus provides the 'redacted' response to OAG which further propagates it back to the requester

OAG and OES working in tandem

Conclusion
I hope you have gained a fair idea of the challenges which enterprise mobility requirements poses and the various options which Oracle FMW product suite has to offer to modern day organizations to empower and enable to them overcome these hurdles and successfully mobilize their workforce. Customers who are already utilizing products such as Oracle Access Manager and Adaptive Access Manager can easily leverage Oracle Mobile and Social to extend the same security capabilities to mobile applications.  Our final post will introduce you to the nuances of Mobile Device Management (MDM) for facilitating secure BYOD programme in the 'Cloud'.

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.


Tuesday Dec 03, 2013

Mobile Device Management (MDM) Within Your Enterprise - Simeio Solutions

Introduction
One of the major challenges facing every enterprise in the Bring Your Own Device (BYOD) age is how to maintain control of the devices used to access proprietary data. In this post, the second in our four-part series on BYOD and the changing mobile landscape, we’ll take a look at this issue in more detail.

It’s difficult to overstate the challenge. As organizations enable broader access to more and more information – including highly valuable and sensitive intelligence and intellectual property – they need to ensure that the devices used to access that information are secure, that the devices can be remotely managed and de-authorized, and that information on those devices can be destroyed or disposed of securely. But at the same time, the rise of BYOD means giving up a large measure of control over those devices because they are no longer owned by the organization but rather by individuals who maintain full control and authority over them.

In just a few short years, we’ve moved from uniform, company-owned desktops tethered to the office to diverse, individually-owned mobile devices that can literally be taken – and lost  – anywhere in the world. This mobile revolution has enabled an entirely new kind of workforce and unprecedented productivity and business opportunities, but it has also created a concomitant surge in risk. Addressing this risk has become an organizational imperative, which is why Mobile Device Management (MDM) has become a high priority at most enterprises.

A Plethora of Platforms
When you consider all the moving pieces that are involved in mobile computing – multiple hardware device types and manufacturers, operating systems, applications, telecommunications carriers, and supporting back-end infrastructures – the challenge of securing your mobile devices can seem all the more daunting.

Most enterprises would consider securing the platform vendors, hardware providers and telecommunication carriers to be “out-of-scope” due to the sheer volume of platform vendors and the telecommunication carriers that provide the backbone service to users across continents. It is far more practical to control and enforce restrictions on the individual devices.

In the early days of mobile computing, organizations could select a single platform to support (e.g. Blackberry), which made the job far more manageable. The adoption of BYOD, however, means you’ll need to support a wide variety of platforms, including Google Android, Apple iOS, Microsoft Windows and Blackberry, the four primary players at the moment.

There is no right or wrong platform when it comes to addressing security and MDM. Each platform comes with its own set of features, benefits and associated risks:

  1. Blackberry : The Blackberry has enjoyed tremendous popularity among IT organizations. The Blackberry software provides enterprises with servers and software that offer unparalleled remote management capabilities, but it comes at a cost. Blackberry has also recently lost significant market share to competitors, and many are questioning its survival.
  2. Apple iOS: Many consider the iPhone and iPad to be the most innovative products when it comes to revolutionizing the mobile industry. Unfortunately, many also consider iOS to be one of the weakest platforms when it comes device management. While the ability to deploy and distribute apps is a breeze, managing these devices remotely could prove to be a quite a challenge. Apple has responded to this criticism with a new OS version and hardware with improved security and integrated MDM features.
  3. Google Android: Android is by far the most popular platform as measured by market share. However, it is also known for its notorious variety of devices and flavors of operating environments. Even with the diverse array of OS options available, some Android devices come with enterprise grade software services that enable remote management (although some do not).
  4. Microsoft Windows: Microsoft is a well known player in the mobility space, but the reliance on third party toolsets, systems and servers to manage devices by leveraging the vendor published device management protocol make it a complex deployment.

Despite the pros and cons, organizations today must be ready to support any and all of these platforms without compromising the organization’s security.  Securing the devices, the application and the data that these devices hold goes way beyond simple authentication platforms that are currently in place. There is also the need for compliance enforcement to ensure that each of these devices are secured and do not in any way become a pathway for exploits and intrusions into larger systems that form part of an enterprise’s proprietary infrastructure.

Past, Present and Future
As device adoption changes over time, it is crucial to be prepared to address these evolving changes as they occur. An oversized platform may reduce in size as time rolls by. Your organization might currently have predominantly iOS and Android devices, but could change to a predominantly Windows based service as time evolves, or vice versa. It is important to acknowledge these evolving patterns and gear up for an ever evolving device adoption strategy.

The current market adoption of the various platforms has Android at 61%, iOS at 20.5%, Windows at 5.2%, Blackberry at 6% and Other devices at 7.3%.


However, there is a huge difference between the overall market share and enterprise use, where Blackberry – despite its fall from grace with consumers – continues to be a dominant player. BlackBerry still has a market share of about 38% among businesses with more than 10,000 employees, as well as more than a 33% share in government and financial institutions . But this appears to be changing rapidly.

This is exactly the kind of situation where a good MDM strategy would enable organizations to traverse any change in market dominance that may occur over time.  Adoption and market share also tend to vary by geographic region. For example, Android adoption could be very high in Asia Pacific while relatively low in North America. Therefore it is necessary to also look at an organization’s geographic employee dispersion ratio while building a strong MDM strategy.

By 2015, it’s projected there will be 7.5 billion mobile devices globally. By 2016, it is estimated that global mobile device usage will grow by 20% in the Android space, 10% in the iOS space, 30% in Windows phones, and 3% more Blackberry users. According to a recent Forrester Research Report, mobility and BYOD programs in use by North American based information workers are expected to triple by 2014. Also, the use of tablets at work is rising at an exponential rate. Today there are 50% more tablets being used in the enterprise than just a year ago.

The bottom line is that the future could hold anything. It could be an exponential increase of one of the aforesaid platforms or an emergence of a new platform altogether. You must be ready in any case.



An Effective MDM Strategy
Building an effective MDM strategy is of great value to any enterprise. We believe there are three key criteria when chosing or developing an MDM solution:

1)  Develop a single, unified solution with the flexibility to address virtually any device or platform.

Given the rapidly shifting market shares and already large and rapidly growing number of mobile devices, it would be a Sisyphean task to maintain one device management tool per device. A better strategy is one that has a broader focus on converging technologies that power a variety of devices.

Having a unified MDM service allows for global policy enforcements. It also allows for rapidly provisioning and de-provisioning devices onto the network with split liability – where individuals agree to cede some control over their personal device, often in exchange for a stipend or sharing of expenses with the enterprise.

Such a unified MDM service gives employees more control over which devices they are allowed to bring in. It also gives employers more control over what these devices can do when on the corporate network.

2)  Cover the complete lifecycle – especially in between the two endpoints.

Your MDM solution shouldn’t be limited to the provisioning and deprovisioning aspects of a BYOD program but should focus more on the period in between those two endpoints, including the ability to:
  • Control what runs on the device when connected to the corporate network
  • Determine whether security protocols have been adhered to
  • Do an over-the-air (OTA) update of an applications, configurations or device firmware
  • Support audit requirements
  • Track the location of the devices themselves

3)  Look to the cloud

Organizations embracing “cloud computing” have been steadily increasing, which comes as no surprise with the increased growth in the mobility space. Cloud based Mobile Device Management solutions have emerged as well, which organizations can leverage in tandem with their internal cloud transformation processes.

Prioritizing investments in effective strategies not only allows for on-boarding a new MDM platform at a much rapid pace, but also helps ensure the security and integrity of systems that the organization exposes to the cloud in addition to the devices that are now onboarded into the organization’s network.


MDM Best Practices
At Simeio Solutions [http://www.simeiosolutions.com/], we’ve established a set of best practices to help our clients implement a successful enterprise MDM strategy. These include:

  1. Enablement for a multi-platform, vendor-agnostic device on-boarding. Even so, enterprises should allow only the mobile devices that have the best possible control and security built in.
  2. A strong security policy. Enterprises must strive to employ a good encryption methodology, which is a key to building a strong security policy. Device encryption methods can help encrypt the local storage, but enterprises must ensure that it covers all the risk areas including the internal and external systems as well.
  3. Maintain a device registry. Take a periodic inventory of all the devices connected to the corporate network.
  4. Remote over-the-air updates. It is essential to Identify unusual situations such as jail breaks, lost devices, device theft, number of repeated failed login attempts or failure to connect to the network for lengthy periods (e.g. more than a month), and enabling those mobile devices for remote wiping, automatic padlocking and account locks.
  5. Maintain an application white-list. Tentative white-listing of applications allows only authorized software to be installed on the mobile devices and prevents the malicious software from entering the corporate network.
  6. SSL and VPN Connectivity. Enterprises should employ VPN access to enjoy the benefits of shared networks without any security concerns in transmitting sensitive data over the internet, since VPNs encrypt the data in transit.
  7. Regular security updates and patches. Enterprises need to ensure that the mobile devices connected to their corporate network are installed with regular security updates along with updates of new upgrades and patches for the mobile operating systems (iOS, Android OS, Blackberry OS, etc).
  8. Deploy intrusion detection and prevention systems (IPS/IDS). IPS helps to proactively respond to security threats initiated on the corporate network by smartphones and tablets. Enterprises could extend their existing IPS systems to monitor mobile devices and help deter risks associated with remote attacks.


MDM and Security
Addressing security is a critical component of an effective MDM strategy. Inevitably, you’ll have a laundry list of security issues that must be considered and addressed. You may need to look at security from many perspectives, including how to secure the data on the device, or the security around how a device or use is authenticated prior to enabling access to information or resources, and even how the data being transmitted is secured from tampering and ensuring confidentiality.

Security as it pertains to MDM involves encryption algorithms such as RSA, MD5, and AES. It also involves token services like HOTP, OATH, TOTP. You will need to pay attention to protocols such as HTTPS, LDAPS, and other secure means of transmission. There are also session handlers, Two Factor authentication services, secure delete, and device management capabilities including remote wipe, remote lock, and remote install.

The three major component of a strong MDM security framework are:

  1. Data Access Security Mechanisms
    • User and Device authentication
    •  Authorization and policy enforcement
    • Integration with other token services  that leverages existing identity management infrastructure services to access services such as Salesforce.com or Box.net
  2. Data Storage Security Mechanisms
    • Encrypt data at rest, both on the device as well as on the server side applications and service components
    • Secure delete and the ability to overwrite existing data
    • Protection of keys credentials and tokens used to decrypt data and make the data available for use
  3. Data Transmission Security Mechanisms
    • Establishing a secure connection between the device and the company’s infrastructure
    • Creating and managing sessions for required set of transactions
    • Handling HTTP requests in the appropriate manner
    • Encryption of data transmitted over the channel

Bring it all together
Scaling to support all of the possible mobility enabled devices could incur significant hardware costs and create management complexity. Even though scalability may seem like a distant concern for some enterprises, the proliferation of mobile devices and applications growing at the current rate  will make that concern a reality sooner than later. Enterprises will do well to incorporate long-term scalability requirements into their plans early on.

Luckily, a variety of solutions have emerged to help organizations meet this challenge. Oracle, for example, has a suite of tools that can make it easier for organization to deploy a strong MDM solution. They can even make it easy for employees to onboard their own devices to the corporate infrastructure in split liability mode.

Oracle Beehive is one such tool. It provides an integrated set of communication and collaboration services built on a single scalable, secure, enterprise-class platform. Beehive allows users to access their collaborative information through familiar tools while enabling IT to consolidate infrastructure and implement a centrally managed, secure and compliant collaboration environment built on Oracle technology.

Oracle Utilities for Operational Device Management is another example. It was developed by Oracle solely for the purpose of meeting the needs of asset management for “smart devices.” The software manages devices such as meters, access points or communication relays and communication components attached to various devices that are too complex for traditional asset management systems. It handles critical functions, such as managing and tracking updates and patches, as well as supporting governance and regulatory audits and smart grid Network Operations Center (NOC) processes.

Oracle Platform Security provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate mobile app developers from security and identity management implementation details. With OPSS, developers don’t need to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures. Thanks to OPSS, in-house developed applications, third-party applications, and integrated applications benefit from the same, uniform security, identity management, and audit services across the enterprise.

These are just a few examples of the tools available that can help you design and deploy an effective MDM solution. In our next post, we’ll take a look at Mobile Access Management, another key aspect of managing mobile devices in the BYOD age.

About the Author:

Rohan Pinto is a Senior IAM Architect at Simeio Solutions who is responsible for architecting, implementing and deploying large-scale Identity Management, Authentication and Authorization (RBAC, ABAC, RiskBAC, TrustBAC) infrastructures with specific emphasis in Security.


Monday Nov 18, 2013

The Technology Stack of Mobile Device Enablement - Simieo Solutions

Introduction
Mobile computing has proven to be a game changer, revolutionizing the way we work, communicate and connect. Arguably, this revolution can trace its roots back to the ‘Personal Computer’, which freed individuals and organizations from the centralized mainframe operating model and we haven’t looked back since then. But what’s remarkable about mobile computing is the unprecedented pace of change and innovation it has brought about. Mobile devices are penetrating and transforming businesses today far faster than any previous generations of computing technologies ,including laptops and desktops.


Current landscape
Today, "going mobile" means a lot more than just modifying the content to fit a browser on a small screen size. Infrastructures can no longer afford to limit remote or mobile access to browser-based functionality. Users need access to more applications and data, from a wider variety of mobile and wireless devices.
Mobile device capabilities have reached new heights, which in turn has spurred demand for rich mobile applications that require access to private enterprise data in order to deliver functionality. These applications have become indispensable tools for end users. They are being inextricably woven into day-to-day business operations in an effort to improve productivity. In spite of the complexity, these devices are becoming a critical component of the computing environment because of their versatility.


Enter BYOD
Perhaps the single biggest driver of the mobile revolution has been the widespread adoption of “Bring Your Own Device” or “BYOD.” BYOD is the policy of permitting – or even encouraging – employees to bring personally owned mobile devices (laptops, tablets and smart phones) to their workplace, and to use those devices to access privileged company information and applications. Seemingly overnight, BYOD has supplanted the traditional policy of permitting only “corporate-liable” or “CL” devices, those that are owned and issued by the company.


The Benefits of BYOD
BYOD fosters business process efficiency by allowing employees to complete their tasks at any time and from anywhere – whether they are sales representatives, technical analysts in the field, customer-facing employees, manufacturing reps and the like. Every one of these employees needs access to data, which can enable them to make the right decisions, answer queries, come up with proposals, close deals and execute other vital tasks.
The benefits of BYOD include:

Improved workplace flexibility and productivity with secure "anytime, anywhere" access for employees. It promotes employee satisfaction. It also increases effective employee work hours in small increments per week, which in turn translates to a greater throughput from the workforce.

Increased sales revenues from quick, reliable access to business-generating applications on employee-owned devices.

  • Competitive appeal for market leadership and recruiting. Adopting innovative technology solutions such as mobility is valued by organizations for maintaining competitive positioning in their respective marketplaces. 
  • Reduced costs for acquiring, distributing and replacing corporate-liable (CL) devices.
  • Reduce complexity and costs from internally maintaining the mobility infrastructure.
  • Decreased help desk support with a reduction in the number of inbound calls for CL devices.
  • This is definitely not an exhaustive list, but it covers the common factors fueling BYOD adoption.


Imminent Challenges and Risks
It's not too difficult to lose a smart phone or tablet, resulting in confidential data being exposed to non trusted entities. Thus, accessing and storing corporate data on private devices presents unique security challenges to the enterprise.The IT security team and the CIO office are now dealing with questions such as:

Do our enterprise applications qualify as “secure” and “cloud ready”?

  • How do we manage security of the enterprise applications in a scenario where a plethora of mobile devices connect to them for accessing sensitive data?
  • How can my company enable social trust as a means of connecting to customers and employees?
  • What about securing the digital and intellectual property which has been exposed as a result of the BYOD scheme?
  • Some of the inevitable challenges for organizations adopting BYOD include:
  • Handling the deluge of BYOD demand (tablets, smart phones, smart watches and more)
  • Adapting to costs and risk that are no longer "per user" but rather "per device"
  • Avoiding the risk of revolt when applying corporate lock-downs and restrictions on devices owned by the employee
  • Addressing the increased threats associated with mobile
  • Obtaining increased budget to address the risk of mobile
  • Configuration management to reduce vulnerability exposure
  • Adopting configuration management to reduce vulnerability exposure
  • Managing what apps are allowed
  • Determining how to track and manage a personal device the same way as a CL device without violating personal privacy
  • Using mobile as an "enabling" component to the business instead of a roadblock

There are four primary areas that are putting consumers and enterprises at risk on mobile platforms:

  • Access based attacks – Privileged users who have access to more data than they should, or are using legitimate access to steal confidential data, and share or use it in ways that negatively affect the organization.
  • Device Loss – The loss of a corporate or personal device that contains confidential data on the device, or within secondary memory, due to loss or theft of the device.
  • Rogue malicious apps – Applications that have been compromised by attackers and posted on various app stores that contain hidden payloads that steal data, initiate connections, commit outbound toll-fraud or are used as a launching point for attacks inside a trusted corporate network.
  • SMS Attacks – Unwanted inbound SMS messages from attackers that trick users to take actions that can lead to installation of code or to increased carrier based charges.


Identity and Access Management to the Rescue
Luckily, corporations facing these risks and challenges don’t have to go it alone. The field of Identity and Access Management (IAM) has evolved just as rapidly with solutions designed to address key aspects of BYOD adoption:

  • Mobile Device Management (MDM)
  • Mobile Identity Management (MIM)
  • Mobile Application Management (MAM)

IAM solution providers, including our company, Simeio Solutions, have seen tremendous growth in these areas, with new tools, technologies, methodologies and best practices designed to help organizations adopt BYOD securely and effectively.

The need of the hour is seamless and secure digital connectivity for cloud and mobile integration in order for BYOD to prosper.
Here is where a product like Oracle Mobile and Social Access Management comes into the picture. Oracle Mobile and Social Access Management is a solution which enables an organization to secure mobile access to their enterprise applications. It includes a server which acts as a “secure wall” between external mobile client applications and the enterprise applications and data stores (which the mobile applications eventually access) by leveraging the existing back end identity infra services in order to regulate the interaction between both entities.

Oracle Mobile and Social Access Management Offerings


The Oracle Mobile and Social Access Management solution includes features in each of the following key areas: MDM, MIM and MAM.


Mobile Device Management

  • Device Enrollment – Oracle Mobile and Social Service components enforce device registration as a prerequisite to granting access to sensitive enterprise applications/data. A “Client Registration Handle” is used to process first-time device registration post user authentication via the Mobile and Social server.
  • Device Fingerprinting – Mobile and Social Access Server leverages the service from Oracle Adaptive Access Manager (OAAM) in order to deliver functionality such as Device Fingerprinting. OAAM provides capabilities such as One Time Password (OTP) and Knowledge Based Authentication (KBA) based on policies and risk assessments.
  • Device Blacklisting – Oracle Mobile and Social Access Services address the inherent risk of smart phone thefts. It provides capabilities to blacklist/block insecure devices and/or wipe out sensitive security information on the device as per threat levels.

Mobile Identity Management

  • Mobile User Authentication – Oracle Mobile and Social Services facilitate delegation of mobile user authentication to existing and trusted components such as Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM for strong authentication)
  • Mobile User Authorization – Oracle Entitlements Server (OES), a fine grained authorization server, is leveraged to provide authorization services for mobile users based on its policy driven decision engine in order to enforce appropriate access for mobile users to backend enterprise applications.
  • Social Identity support – Oracle Mobile and Social Services facilitates the usage of social internet identities such as Facebook, Twitter, Google, LinkedIn, etc., for signing on users to less sensitive applications. Many of these providers are based on open standards such as OpenID and OAuth, and this in turn can be leveraged to provide rich user experiences.


Leveraging Social Identities


Mobile Application Management

  • Mobile Apps Single Sign-On (SSO) – A mobile user can run many mobile applications on the same device without having to authenticate to each application individually. The out-of-the-box software development kit (SDK) shipped as a part of Oracle Mobile and Social can be used to build and configure Mobile SSO agents which can be used as a centralized point from where authentication and SSO can be managed.
  • SSO functionality is also available to web based applications in addition to inter-application SSO.
  • Application Registration – In order to strengthen mobile application security, Oracle Mobile and Social services ensure application registration before allowing access to sensitive data housed within enterprise applications.

Oracle Mobile and Social Access: The Big Picture


Conclusion
Mobile computing is here to stay. Along with its many luxuries, its penetration has introduced new complexities and challenges to organizations. They cannot afford to fall back on user awareness and user agreements to provide security. The question is no longer about allowing or denying mobile access. The question for today is about effective management.
This post is just the first in a 4-part blog series. In our next post, we’ll have in-depth coverage of Mobile Device Management (MDM).

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.

Friday Oct 04, 2013

Oracle OpenWorld 2013: Developing Secure Mobile Applications (CON8902)

As more organizations develop mobile applications that access ever increasing levels of sensitive data, it is critical that standard security policies can be applied, whether coding native, hybrid or mobile browser-based applications. This session, from OpenWord 2013, will teach you how to code your mobile applications to gain access to Oracle's Mobile Access Management services including device registration, authentication, authorization,  step-up authentication and single sign-on. If you missed this, or would like a second opportunity to see this presentation in slide form, join us by checking out "Developing Secure Mobile Applications" today.

Wednesday Sep 18, 2013

OOW 2013 Content: API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use

Is your organization prepared for the expanding roles of mobile & cloud, and the enabling capabilities of REST-based APIs and Web services?

API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use CON8817 will explore how organizations are able to launch mobile and cloud applications with little or no change to their existing systems by leveraging Oracle’s complete mobile access management solution. In addition to presenters from Oracle, this session will also feature Peter Tsatsaronis (nab) and Matt Topper (UberEther, Inc).

Plan on attending this session on:

Tuesday, Sep 24, 5:15 PM - 6:15 PM - @ Moscone West - 2017

Tuesday Sep 17, 2013

OOW 2013 Content: Securely Enabling Mobile Access for Business Transformation

Online communication has been transformed by the advent of effective mobile computing, and more organizations are providing employee and customer access to services via mobile devices.

Securely Enabling Mobile Access for Business Transformation [CON8896] will review the security and usability concerns that are further compounded by bring your own device (BYOD) policies. In addition to speakers from Oracle, this session will also include presenters Arup Thomas (Verizon Wireless) and Abdullah Togay (Ministry of National Education).

Plan on attending this session on:

Tuesday, Sep 24, 12:00 PM - 1:00 PM - @ Moscone West - 2018

Monday Jun 10, 2013

Embracing Mobility in the Workspace: Oracle API Gateway

Embracing Mobility in the Workspace using Oracle API Gateway

 

 

“In 2013, mobile devices will pass PCs to be most common Web access tools. By 2015, over 80% of handsets in mature markets will be smart phones.”

                                                                                                                                                                                                                       -Gartner Research

 

 

Across the globe, corporations are embracing the influx of mobility and the last five years have seen an expanding role of mobility in the workspace. Enterprises everywhere are coming up with innovative initiatives to support the mobility needs of personnel working for them. In addition, a variety of mobile applications and services are being offered to the workforce to make them more effective and efficient at work. Such applications and services unify different user populations within the organization, including internal workforce, partners, customers, and consumers, with the internal and external resources of the organization.

 

 

There are numerous reasons why enterprises are embracing mobility in the workspace and the chart below highlights the most important ones:

 

 

 

The devices used by the user populations are usually diverse in nature and leads to a fragmented and a disconnected landscape. As a result, IT architects and product managers of organizations are compelled to develop applications that can be ported to mobile devices of users. However, the deployed in-house applications aren’t capable of averting increasingly sophisticated identity thefts and data breaches of today.  Development and utilization of secured mobile applications is often the primary concern that bothers infrastructure & solution architects today.

 

Forrester Consulting commissioned a study on behalf of Cisco Systems in 2012 to gather information on top security concerns and compatibility issues that concern senior-level decision-makers. The chart below illustrates the results.

 

 

 

There are a lot of aspects that should be managed to effectively support mobile devices. They are:

 

·         Password and User management – Management of multiple passwords and user identities for each application

 

·         Device Management – Management of authentication and authorization of devices allowing users to access company resources securely. A high mobile device turnover by user population calls for re-registration of new devices and blacklisting/wiping-out of corporate information from older devices. Device management automates such processes in a structured manner

 

·         Application Access Management – Management of role-based access that is usually absent or is being managed locally in the application leading to unauthorized access to applications. And the local role management leads to redundant and expensive management of access to applications via roles

 

·         API Management – Management of central publishing, promoting, and monitoring of exposed APIs within a secure and scalable environment that is often missing. Many applications todays exposes web services which may not consumed by mobile devices as efficiently as possible.

 

Following section describes how the above-mentioned aspects are managed and how challenges and issues related to adoption of mobile devices are addressed by using Oracle API Gateway and a variety of other components of Oracle Access management stack.

 

·         User Management – The mentioned aspects and challenges are addressed by having a User Provisioning tool like Oracle Identity Manager (OIM). OIM streamlines user provisioning and de-provisioning, and other identity based lifecycle events in the organization. Along with that, users are also provisioned access to various target systems. Once the step of access provisioning is completed, Oracle Access Management (OAM) steps in for users who wish to access the target system by using single sign-on. The authentication can be done by binding to LDAP, but OAM brings additional advantages as it allows various policies and procedures to be defined and implemented for the users accessing target systems within the enterprise. Furthermore, access request to all resources on mobile devices are intercepted by Oracle API Gateway or OAG (deployed in DMZ) in order to enforce the policies that define the steps involved.  OAG gathers the necessary user, application, device, and network context data to enable authentication decisions and validates the gathered data using the Access Management tool as per the policies laid down.

 

However, this approach only performs user authentication and relies on Access Management tool to perform coarse grain authorization, and may not be sufficient for the detailed authorization rules defined within the application itself.

 

Please refer to the figure below for a better understanding.

 

 

 

·         Device Management – Mobile devices used by users are registered through Identity Manager as an asset and this information is provisioned to an LDAP, DB device, or an App registry. Also, Oracle API Gateway is used to perform device authentication by using the custom authentication logic it comes with. Once the device is authenticated, a device token is generated, and the same is used by mobile devices in subsequent interactions in order to fetch the desired information from the applications. This is a simple approach and can be employed to achieve the desired results in small work environments where functionalities like device profiling, blacklisting and whitelisting, knowledge based authentication, and device control is of less importance.

 

For work environments that are larger and more complex, and where the previously mentioned functionalities are important, Access Management component can be extended to include and deploy Oracle Adaptive Access Manager (OAAM) along with Mobile and Social Services components. By doing this, the desired Device Management functionality is implemented.

 

In other scenarios, device registration can also be delegated to OAAM components rather than registering it through Oracle Identity Manager against the user record. Here, mobile and social services components play a crucial role of mediating security tokens for mobile devices to access enterprise resources and cloud based applications.

 

Please refer to the figure below for a better understanding.

 

 

·         Application Access Management – The above two architectures explain how Oracle API Gateway (OAG) manages and performs user and device authentication. Oracle API gateway is Policy enforcement point for mobile devices in a similar way Web-Gates are policy enforcement for Oracle Access Management. However, the fine-grained authorization can’t be overlooked.

 

Classical approach of programming included embedding the authorization logic within the application itself, making the management and extension of application security cumbersome. And it can lead to failed audit and compliance objective requirements of certifying who has what access and at what level. This may not be acceptable in today’s world of increased scrutiny of applications and their access.

 

Fortunately, Oracle Entitlement Server (OES) comes to rescue and serves as a central policy decision/definition point where all applications can externalize authorization rules. When used with OAG, the authorization policies set by OES are enforced. In addition, the combo can also redact the data elements based on various roles of users accessing applications through mobile devices.

 

The figure below will be able to help you understand the concepts better.

 

 

 

·         API Management – Enterprises today have applications that expose web services primarily meant for either intranet use or exchanging information with business-partner applications. That paradigm has taken a major shift with the proliferation in on-boarding of mobile devices and the need to access the respective applications on these devices. Mobile devices may not be able to consume the exposed web-services as efficiently and thus, require enterprises to adopt strategies to either re-write or extend those web-services for such use-cases, or rely on Oracle API Gateway (OAG) features and functionalities.

 

OAG provides functionalities that shield these efforts and perform content transformation on the fly in order to make it adaptable for mobile device use. Oracle API Gateway provides controlled connection between APIs and applications that exposes them. OAG also allows access related metrics for any APIs managed by it. In a well laid-out architecture and implementation of OAG, enterprises can expose these services confidently with additional benefits such as Threat protection and XML Acceleration while having the same performance levels, and exceptional reporting and analytics capabilities across all services.

 

In all, mobile devices have evolved to better suit the needs of consumers but at the same time have traded of their security to ensure usability. These trade-offs increasingly contribute to security risks when such devices connect to the enterprise resources.

 

The security risks should be addressed in an effective manner to protect precious company resources and comply with increasingly strict regulations. Mobile Access management solution using Oracle API Gateway technology unifies enterprise resources and cloud-based resources across network boundaries to mobile devices. This solution assures enhanced security, regulatory compliance, improved governance, and increased productivity. 

 

Webinar

 

For more information on registration on our upcoming joint webinar with guest presenters Arun Mehta from AmerIndia, and Sid Mishra from Oracle Corporation, please go to  http://www.amerindia.net/webinars.php. Here you will be able to pre-register for this event, where we will discuss the changing face of mobile devices in today’s work environment and the risks associated with this upcoming trend. In addition, solutions available to address such risks will be described, while also highlighting solutions specific to different types of organization.

 

Author

 

 

Arun Mehta

Mobile Security Practice Leader

AmerIndia Technologies Inc.

 

Arun Mehta is Principal Solution Architect in Mobile Security, Security Solutions practice at AmerIndia Technologies Inc. In this role, Arun leads a team of specialist technical consultants and architects across North America focusing on Oracle's Security and Identity Management technology. Arun has been in the field of Security for over a decade and has experience across large and complex Identity Management projects in the North America region covering multiple industry verticals. More recently, he has been engaged on a number of projects including enterprise security platforms and mobile access management to help customers enable digital and business transformation initiatives.

  

 

 

AmerIndia Technologies Inc.

AmerIndia Technology Inc. is a full-service information security consulting firm and an Oracle Gold Partner. We specialize in security assessments, software security, mobile security, identity and access management, cloud identity management, API management, certification, regulatory compliance, and vulnerability management. AmerIndia serves clients throughout the United States.

 

Our expertise and client base spans all major verticals. Customers include Fortune 5000 companies in the financial, technology, healthcare, insurance, education and manufacturing sectors. Because of our wide range of experience and subject matter knowledge, major consulting firms also rely on AmerIndia as a trusted partner.

For more information, visit our website: www.amerindia.net

 

 

Wednesday Mar 27, 2013

Virgin Media Webcast Tomorrow

A quick reminder that tomorrow (Thursday, March 28) at 10 am PDT / 1 pm EDT, experts from Virgin Media, implementation partner aurionPro SENA and Oracle will discuss how Virgin Media successfully enabled secure wi-fi services in London Underground in time for the London Olympics 2012.

Join the webcast to hear hear how Virgin Media, the UK’s first combined provider of broadband, TV, mobile, and home phone services, used Oracle Identity Management, Oracle Virtual Directory, and Oracle Entitlements Server to leverage back-end legacy systems for the project, systems that were never designed to be externalized.

You’ll learn how Virgin Media:

  • Transformed the London Underground deployment into a platform for authorizing other services
  • Reused Oracle Entitlements Server and Oracle Virtual Directory for authorizing customers to view video-on-demand content on their Virgin Media set top boxes
  • Expanded to deliver true place-shifting—allowing subscribers to watch pay-per-view assets from any device, anywhere

As you continue to embrace mobile and social, Oracle Identity Management will become even more important, enabling interaction and securing the experience. Join us and find out how.

Register now for this Webcast, “Virgin Media Takes Identity Management Underground.”

Experts will be at hand to take your questions live. You can also submit the questions via twitter. Direct those to @OracleIDM using #IDMtalk

Webcast:Virgin Media takes Identity Management Underground
Thurs., March 28, 2013
10 a.m. PT / 1 p.m. ET

Monday Mar 18, 2013

Do You Trust Social, Mobile and Cloud?

The last decade or so there has been a complete transformation in the way we work or how we consume information. Work is no longer about geography, it is an activity. “Company resources” are not just servers and systems in your server room, these could be in a data center, in the cloud or even the employees’ smart phones, iPads, tablets and more. Users of these “company resources” could be employees with physical badges, vendors, partners or customers connecting through the social media channels as Facebook, Twitter or Pinterest. Work can happen anywhere, via any device, through any network (intranet/social media channels/internet) leveraging company resources.

And why are organizations adapting this “work anywhere, anytime” model? The reasons are plenty - to improve efficiency, bring agility, build user productivity, offer seamless user experience to its customers or to simply establish a trust relationship with the customer. Social, Mobile and Cloud (SoMoClo) together is a business opportunity, a competitive advantage that organizations are seeking. And Security is the lynchpin in this new work order. Without a secure, seamless digital experience, it all falls apart.

With each new experience, the security risk increases. Each channel presents its own security points of failure. How can my company enable social trust as a means of connecting to customers & employees? How do I accommodate dynamic workgroups and teams of people around the globe that need to be part of my value chain? Is the Bring Your Own Device (BYOD) threatening the security of my digital and intellectual property? How can I securely connect mobile devices to my enterprise without compromising security? Are my applications secure enough to be cloud ready?

The security solution, thus, needs to scale and span across all the channels, encompass the growing breadth of both the “company resources” and the user population. The solution needs to provide the foundation (a platform) that feeds uniform security policies and extends identity context to the complete digital experience.

Naresh Persaud, Director, Security and Identity Management at Oracle, discusses the IT transformation driven by SoMoClo and underscores the need for a sound security solution. Catch this brief screencast on Securing the New Digital Experience to learn how the latest advances in Oracle Identity Management and Oracle Fusion Middleware solutions are fueling the transformation that is driving innovation in IT today.

For more information on Oracle Identity Management, visit us or join the conversation on our blog, Facebook page or catch us on Twitter.

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.

Benefits/Obstacles

Bring Your Own

Corporate Provided

Pros

  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power

Cons

  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:


When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption

Virtualization

A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Thursday Nov 15, 2012

Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy - PowerPoint Slides

Thank you to everyone that joined the webcast.  I have posted the presentation below.

Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy from OracleIDM

 And here is a link to the SANS mobility survey: survey link

Monday Oct 22, 2012

Free SANS Mobility Policy Survey Webcast - October 23rd @10:00 am PST

Join us for a free webcast tomorrow, October 23 @ 10:00 am PST as SANS presents the findings from their mobility policy survey.

-- Register here for Part 1: https://www.sans.org/webcasts/byod-security-lists-policies-mobility-policy-management-survey-95429

This is a great opportunity to see where companies are with respect to mobile access policies and overall mobile application management.

This first part is entitled: BYOD Wish Lists and Policies.  Part 2 will be run on October 25th and is entitled: BYOD security practices.

-- Register here for Part 2: https://www.sans.org/webcasts/byod-security-practices-2-mobility-policy-management-survey-95434

Thursday Jul 19, 2012

Announcing Oracle Identity Management 11gR2: New features for mobile, social & cloud, and new Privileged Account Management.

Today Oracle announces a major new release of its Identity Management offering, and with it comes some very cool new features.

A lot of features in this release are focused on extending Oracle’s expertise in security and IDM to mobile applications, social identities, and cloud applications. New features support native mobile security and single sign-on, social sign-on: to allow customers to log into a website with their social identities, and improved security and integration for cloud applications.

Big improvements have also been made to the self service access request UI to make it more business user friendly, including plain English searching to request application access and roles, and shopping cart style check-out. Automated confirmations and workflows allow business users to get updates and check the status of their requests. In addition, extensive customization is now possible to allow companies to completely control the look and feel of these pages.

More details on the new release here: http://www.oracle.com/us/corporate/press/1708069

Also introduced in this release: Oracle Privileged Account Manager (OPAM) is a whole new set of functionality focused on managing administrative passwords for applications, databases and operating systems. Although it can operate as a stand-alone application, the real value comes from its integration with other IDM components: such as self service password request UI and automated workflow approvals via Oracle Identity Manager, and detailed historical reporting via Oracle’s BI tools.

More details on OPAM here: http://www.oracle.com/us/corporate/press/1707986

Listen to the launch webcast and hear Amit Jasuja and Hassan Rizvi talk about the new features and business value here: http://bit.ly/LYWOB9

Monday Jun 04, 2012

Securing Mobile Apps in a Bring Your Own Device World

As more and more business users begin using their personal devices to access corporate information and resources, the number of network access requests has risen dramatically.  Access Management products and strategies that were based on an employee accessing network resources from a single desktop PC were never designed to monitor and manage an employee that is using a desktop and a laptop, a tablet, and a smartphone all from outside the corporate network, and possibly from an unsecured wireless public network.

A new approach is needed to manage the types and frequency of mobile app access requests - an integrated Platform Approach to Identity and Access Management that is location and device aware, that can warn you of unusual or high risk access.  A platform that provides standard APIs so you can manage your mobile apps the same way that you manage your enterprise apps.

View the slideshow below to see how the Oracle Identity Management platform can help you secure your mobile applications and data in a Bring Your Own Device World.

Monday Oct 03, 2011

Identity Management at Oracle OpenWorld - Monday WrapUp

Oracle OpenWorld has officially kicked off in high gear. There were three highlights from today’s Identity Management activities: 

  • Identity Management Demos: If you haven’t already checked out the Identity Management demogrounds in Moscone South, don’t miss it. This year, the Oracle IDM product team has pulled out all stops to bring together one of the most exciting set of demos we have seen. The 9 Identity Management demos are all designed to prove why Oracle Identity Management is the most complete and most integrated solution in the world. Each demo validates several real world use case scenarios that need an end to end solution. And this year, there is an added bonus. If you check out all the 9 IDM demos, you can enter to win an Apple TV. 
  • Identity Management Keynote: In his general session address, Amit Jasuja - VP of Oracle Identity Management and Security Products, discussed several key identity management trends and how innovation is the key driver behind Oracle’s Identity Management momentum. One of the key industry trends over the last couple of years has been the consumerization of IT and how it has fueled some secular trends like cloud, social and mobile computing. Identity Management and security are now important than ever as workforces everywhere need anywhere anytime access. Amit’s session showcased 3 cool demos –cloud-social-mobile integration, self serve access, and privileged user access control.
  • Customer Successes: One of the best barometers of a product’s success is its customer adoption. This year Oracle is showcasing several case studies that underscore why Oracle Identity Management leads the industry. In Amit Jasuja’s keynote, the CISO of Toyota discussed how Toyota is using Oracle Identity Management to bring social networking straight to your automobile. Earlier in the day, we had ING and Kaiser discuss how they are winning with Oracle Identity Analytics. Later in the day, we had Sasktel talk about how they are leveraging Oracle Identity Management to deliver identity services in the cloud. During the next three days, you will get an opportunity to hear from several other customers who have realized the benefits of Oracle Identity Management.

For a complete listing of Identity Management demos and sessions at OpenWorld, see the Identity Management Focus On. 

Monday Sep 26, 2011

Bring Your Own Device to Work (BYODW): Securing the Mobile Enterprise – OOW Session

Various studies predict that the mobile security market will explode within the next few years. One study estimates the mobile security market will grow to $4B by 2014 and to $14B by 2017. We believe there are a number of factors fueling this explosive growth. The popularity of mobile devices such as smart phones and tablets has resulted in numerous corporate users relying on these devices to access day-to-day business apps and data. It has been estimated by some studies that nearly 85% of these devices are unmanaged by IT and hence unsecured. Loss or theft of these mobile devices could result in security breaches. Organizations are consequently looking for solutions that not only secure the device, but also the backend where sensitive information resides. In our OpenWorld Session “ Bring Your Own Device to Work: Securing the Mobile Enterprise”, we dig deeper into this phenomenon which has taken most IT organizations by surprise.

In the modern mobile enterprise, IT organizations are looking at security from three perspectives

  • Context-aware Security: A few months ago, someone published a hack to reset an iPhone password in less than 6 minutes. Here is a link to that news article. Besides, there is ample evidence that indicates that threat vectors are beginning to migrate to mobile devices sparked by their widespread adoption. So security measures focused on securing the endpoint only are just one facet of the solution. Organizations should really focus their efforts on securing information. Sophisticated security measures should not only consider who is accessing what data but also from which device and from which geo-location and if the access is abnormal given historical behavior.
  • User Experience: Corporate users expect the same level of user experience from their mobile devices that they have come to expect from their SSO-enabled desktops and laptops. While single sign-on solutions streamline the user experience for most apps, there is often no single sign-on across rich mobile applications installed on mobile devices. This problem is expected to worsen because many enterprises are in the process of provisioning rich mobile applications to their employees. Rich mobile applications like employee white pages apps, etc are becoming very common in most enterprises.
  • Interoperability: Many organizations have a heterogeneous IT infrastructure with a well functioning identity management system that they do not want to replace. Instead organizations need solutions that can deliver all of the above while seamlessly integrating and interoperating with their existing platforms so they can get the best value of their investments. 

You don't want to miss Clayton Donley, Senior Director of Development, Oracle, and Daniel Killmer, Principal Product Manager at Oracle, discuss how you can successfully navigate the BYODW phenomenon on Tuesday October 4th at 1:15p in Moscone West 3020.

For a complete schedule of Identity Management sessions at OpenWorld, see the Identity Management Focus On.

Friday Aug 26, 2011

Got cloud, mobile, app security on your mind?

Now that we have talked about why you can't miss Oracle OpenWorld this year, let's get building on our schedule. We have an exciting line-up of Identity Management sessions featuring Oracle Identity Management executives, product management leads, customers and partners and over the next week or so, we'd walk you through some of the session highlights. If cloud, mobile and applications security are top of mind for you, here's a list of Must-Attend sessions for you; be sure to add these to your schedule builder today!

Identity Management General Sessions

Monday October 3, 2011

TIME

TITLE

LOCATION

2:00 pm – 3:00 pm

Trends in Identity Management

Amit Jasuja, Vice President, Oracle

Moscone West        Room 3022

3:30 pm – 4:30 pm

Identity and Access Management for Oracle Applications

Svetlana Kolomeyskaya, Group Manager, Product Management, Oracle

Connie Jaremczuk, Principal Product Manager, Oracle

Moscone West       Room 3022

5:00 pm – 6:00 pm

Identity Administration Management for the Cloud

Gary Cole, Software Architect, Oracle

Tanu Sood, Principal Product Director, Oracle

Moscone West       Room 3022

Tuesday October 4, 2011

TIME

TITLE

LOCATION

10:15 am – 11:15 am

Mobile Security Trade-offs: Balancing Strength and Usability

Mark Karlstrand, Senior Product Management , Oracle

Joshua Walderbach, Information Security Analyst, Principal Financial Group

Moscone West        Room 3022

10:15 am – 11:15 am

BYODW (Bring Your Own Device to Work): Securing the Mobile Enterprise

Clayton Donley, Sr. Director Development, Oracle

Daniel Killmer, Principal Product Manager, Oracle

Moscone West       Room 3020

4:00 pm – 5:00 pm

Directory Server Innovation: From the Enterprise to the Cloud

Forest Yin, Director Product Management, Oracle

Etienne Remillon, Principal Product Management, Oracle

Vikas Mahajan, Director, AARP

Moscone West        Room 3003

5:30 pm – 6:30 pm

Cloud Security Case Studies of SaaS, PaaS, and IaaS

Mark O'Neill, CTO, Vordel

Moscone West       Room 3022

5:30 pm – 6:30 pm

Enterprise-Grade Security in the Cloud: So You Can Sleep at Night

Gail Coury, Vice President Risk Management, Oracle

Joe Collette, Head of Americas Infrastructure, RBS Citizens

Moscone West

Room 3003

Wednesday October 5, 2011

TIME

TITLE

LOCATION

4:45 pm – 5:45 pm

Achieving Context-Aware Security with Integrated Identity Management

Vadim Lander, Chief Architect, Oracle

Moscone West       Room 3022

4:45 pm – 5:45 pm

Cloud and SOA Security with Oracle Enterprise Gateway and Oracle Web Services Manager

Anand Kothari, Principal Product Manager, Oracle

Sid Mishra, Principal Product Manager, Oracle

Nickolas Kavantzas, Web Services/SCA Architect, Oracle

Marriott Marquis    Room Golden Gate B

Thursday October 6, 2011

TIME

TITLE

LOCATION

10:30 am – 11:30 am

Oracle Identity Platform Security Services for Oracle Applications

Ganesh Kirti, Senior Product Development, Oracle

KK Sriramadhesikan, Consulting Member, Oracle

Moscone West      

Room  2020

1:30 pm – 2:30 pm

Integrating Oracle E-Business Suite with Oracle Identity Management Solutions

Sunil Ghosh, Senior Development, Oracle

Keith Swartz, Senior Software Architect, Oracle

Moscone West        Room 2016

Oracle OpenWorld Identity Management Hands-On Labs

Tuesday October 4, 2011

TIME

TITLE

LOCATION

10:15 am – 11:15 am

Securing Oracle Applications with Oracle Identity Management

Michael Freel, Principal Sales Consultant, Oracle

Marriott Marquis    Room Salon 1/2

Thursday October 6, 2011

TIME

TITLE

LOCATION

3:00 pm  – 4:00 pm

Securing Oracle Applications with Oracle Identity Management

Michael Freel, Principal Sales Consultant, Oracle

Marriott Marquis    Room Salon 1/2

For a complete list of Identity Management sessions, product demos and hands-on-lab sessions, please keep the Focus On Identity Management document handy.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today