Tuesday Mar 03, 2015

Does Your Company Recognize Your Online Identity - Anywhere, Anytime?

Our mobile IDs travel with us to work, back home, and on the road. Businesses are learning to cope.

by Lynne Sampson

Like most aspiring writers, I loved going to the library as a kid. I had a library card as soon as I was old enough to sign my name—creased and frayed from overuse, tucked inside my mom’s wallet. Mom and I handed our cards to the librarian at each visit, and she looked up our names in the library register and compared our signatures to the ones on our cards.

This old-fashioned, analog ID system was around for a long time. It was less than 10 years ago that my local library replaced paper cards with plastic ones, with a photo ID and a magnetic stripe.

Today, analog IDs have gone the way of cursive script. Nearly all IDs are digital. Since the rise of the internet, our banks, employers, and apps ask us for a plethora of user names, passwords, and security questions to prove that we are who we say we are.

This is a nuisance for absent-minded consumers who make frequent use of the “Forgot My Password” button. But it’s an even bigger problem for the companies and employers that we do business with.

67% of Fortune 500 companies connect with customers via mobile app

“Mobile has become the platform of choice for everything from work to vacationing,” said Naresh Persaud, senior director of security product marketing at Oracle. “That adds a layer of complexity to identity management that most organizations haven’t had to deal with before.”

Consider the way we work. “Many companies have salespeople who travel constantly. They use their tablets all the time, and they want to log into their applications, track their deals, check and assign new leads. They like the mobile experience because it’s familiar and easy to navigate,” Persaud said.

What’s not so easy is provisioning all those mobile devices for a corporate network—especially as more and more of us use our personal devices for work.

89% use personal devices for work purposes

Adding further complexity to the mix, a growing volume of marketing, selling, and hiring is done via social channels like Facebook, Twitter, and LinkedIn. “Many of us need social tools integrated into our mobile identities,” Persaud continued. For example, one B2B company tracks new leads coming in from marketing campaigns and then checks the prospect’s ID on LinkedIn. If the sales manager finds a rep who is already part of the prospect’s LinkedIn network, he’ll assign the lead to that rep, using existing relationships to gain an introduction.

And it’s not just customers or employees who companies must think about. “At some companies, like online music providers, the product itself is digital.” This is becoming more common as the “sharing economy” (driven by apps like Uber and Airbnb) takes flight. This means keeping track of which user has access to which products and services. “We’ve entered a world of ‘digital abundance,’ where our mobile ID becomes the currency of entitlement,” Persaud said.

What does it take to manage our mobile identities? How do companies give employees and customers access to all their apps, systems, and products from a multitude of devices?

Companies need to establish policies, technologies, and best practices to manage and audit the use of mobile devices. Mobile should be an integral part of your company’s larger security and identity strategy.

“You need an integrated platform that provisions access to data and systems, manages the identities of people, and authenticates devices,” Persaud explained. “Integrated” is the key ingredient when it comes to managing mobile identities. Using separate security solutions for data, devices, and people makes it more complicated for customers and employees to get access to the tools they need. Plus, a single identity for each user—no matter which device they’re on—can help you maximize conversion and revenue.

“A great example of this is Beachbody,” Persaud said. Beachbody provides home fitness products and creates a community for members trying to reach their physical fitness goals. “Instead of physical locations, Beachbody delivers products and services via the web and mobile devices.” To connect with millions of customers and thousands of fitness coaches, Beachbody needed to digitize identity and do it securely across multiple channels. “Mobile was perhaps the most important part of their identity management project,” Persaud added, “because it’s become the platform of choice for consumers.”

Our mobile identities are somewhat akin to DNA—unique, evolving, and hugely complicated. Someday, our DNA might actually be the key that we use to access all technology and services, from pension checks to downloaded music. Until that happens, though, companies need to work with mobile identities. That means working with an integrated security suite that includes mobile as a consideration equal to data and people.

See the Oracle Mobile Platform at Mobile World Congress

Learn about Oracle Identity Management Solutions

Friday Feb 27, 2015

New eBook: Establishing a Mobile Security Architecture

Today, just as organizations are starting  to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave of mobility as a new generation of devices and applications are coming online to take advantage of these new capabilities in today’s corporate environments.

"Establishing a Mobile Security Architecture" provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to better understand the best application of technologies for each area of mobility within your organization and how to reduce risk, then download this free copy of  "Establishing a Mobile Security Architecture".

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Register now for your free copy of the "Establishing a Mobile Security Architecture" eBook.

Wednesday Feb 18, 2015

ISACA Webcast Replay - Manage, Monitor & Audit the Mobile User

The greatest threat of a data breach –intentional or not - continues to be from employees, contractors and partners – people you are supposed to be able to trust. On February 12th, Oracle presented to ISACA members on the critical nature of establishing policies, technology and best practices to manage, monitor and audit the use of mobile devices as part of a larger Identity Management strategy.

Our presenter was Mark Wilcox, who is a Senior Principal Product Manager at Oracle. Leveraging his 20 years of experience in the computing industry and the Identity and Access space, Mark delivered a very focused session on best practices and industry guidance that would benefit any organization evaluating their mobile strategy.   Please click on the following link to replay the event from February 12th, 2015.

For more information on ISACA, and how they can support you on a student, professional or academic level, please visit them on their website at www.isaca.org  or directly on their Membership Page

Replay Webcast Here

Monday May 05, 2014

Is Mobility Creating New Identity and Access Challenges? - by Marcel Rizcallah

Are mobile, social, big data and cloud services generating new Identity and Access Management challenges? Guest blogger Marcel Rizcallah is the EMEA Domain Leader for Security at Oracle Consulting and today will highlight some of the new IAM challenges faced by customers with Cloud services and Mobile applications.

Sales force users ask more often for iPad or mobile devices to access Cloud services, such as CRM applications. A typical requirement is to use an AD or corporate directory account to login seamlessly into the Cloud service, either with a web browser or a downloaded application on a device. The benefits, compared to a different login/password provided by the Cloud provider, is more security and better identity governance for their organization; password policy is enforced, CRM services are granted to sales people only and Cloud accounts are de-provisioned immediately when people leave.

Integrating a mobile device browser with the intranet is easily addressed with federation solutions using the SAML standard. The user provides his login and password only once and tools such as Oracle Mobile Security Suite and Oracle Access Manager provide the end-to-end integration with the corporate directory.

Authenticating through a downloaded application provided by the Cloud service may be more complex; the user authenticates locally and the device application checks first the credentials in the cloud environment. The credentials are relayed to the organization’s intranet using REST services or standards such as SAML to validate the credentials.

Integrating IAM services between SaaS applications in the Cloud and the corporate intranet may lead to a weird situation. Let’s look at this example: one of my customers discovered that their CRM SaaS application, provided by a public Cloud environment, was supposed to be SAML compliant, yet did not correctly generate one of the SAML messages when authenticating through a downloaded application on the device. Despite all parties agreeing that this is a bug, fixing the Cloud application was not an option because of the possible impact on millions of Cloud customers. On the other hand, changing the Oracle Access Manager product, fully compliant to SAML 2.0, was not an option either. The short term solution would be to build a custom credential validation plug-in in Oracle Access Manager or an integration tool, such as Oracle API Gateway to transform the wrong message on the fly! Of course this should not stay a long term solution!

When we ask customers which SSO or Identity Governance services are the priority for integrating Cloud SaaS applications with their intranet, most of them says it’s SSO. Actually SSO is more urgent because users want to access Cloud services seamlessly from the intranet. But that’s the visible part of the iceberg; if Cloud accounts are not aligned to employees referential or sales force users, customers will end up paying more license fees to the Cloud provider than needed. SSO with Oracle Access Manager will improve customer experience, but cloud provisioning / de-provisioning with Oracle Identity Governance will optimize Cloud costs.

Use the following links to learn more about Oracle IDM products and Oracle Consulting Services for IDM.

Wednesday Feb 26, 2014

Announcing Oracle Mobile Security Suite: Secure Deployment of Applications and Access for Mobile

Today, Oracle has announced a new offering, Oracle Mobile Security Suite, which will provide access to sensitive applications and data on personal or corporate owned devices.  This new offering will give enterprises unparalleled capabilities in how they contain, control and enhance the mobile experience.

A great deal of effort has been placed into analyzing how corporations are leveraging the mobile platform today, as well as how they will use this platform in the future. Corporate IT has spoken loud and clear of the challenges they face around lengthy provisioning times for access to applications and services, as well as the need for managing the increased usage of applications.  Recent industry reports show how significant the risks can be.  1 A detailed assessment of one of the most popular application marketplaces shows that 100% of the top 100 paid apps have some form of rogue variant posted within the same marketplace. As credential theft is on the rise, one of the targets this is being achieved is on the mobile device with rogue apps or Malware with embedded keystroke recorders or collection tools that send back other critical data from the device.

One of the great new features of the Oracle Mobile Security Suite (OMSS)  is through the use of containers.  Containers allow OMSS to create a secure workspace within the device, where corporate applications, email, data and more can reside. This workspace utilizes its own secure communications back to the back end cloud or corporate systems, independent of VPN.  This means that corporate information is maintained and managed separate of the personal content on the device giving end users the added flexibility of using personal devices without impacting the corporate workspace.  Remote wipe of data now doesn't impact the entire device, rather, only the contents of the corporate workspace.  New policies and changes in access and applications can be applied whenever a user authenticates into their workspace, without having to rebuild or re-wrap any applications in the process, unlike other offerings.  This is a very unique approach for Oracle.

More details on this new release at  http://www.oracle.com/us/corporate/press/2157116

Rounding out this offering, are capabilities that enable the complete end to end provisioning of access, Single Sign-on within the container, enterprise app store and much more.  

Technical Whitepaper: Extending Enterprise Access and Governance with Oracle Mobile Security

For the latest information on Oracle's Mobile Strategy, please visit the Oracle Mobile Security Suite product page, or check back for upcoming Mobile Security postings on the Oracle IDM blog page this March. 

1 2013 X-Force Internet Threat Report


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« December 2015