Monday Apr 14, 2014

When We Are All A Heartbeat Away From Data-Loss

Unless you have been sleeping under a rock the last few weeks, one of the biggest items of news in security has been around a vulnerability that has been around since December 2011. The vulnerability CVE-2014-0160, is more widely known as the Heartbleed Bug and is only now making its reputation known after researchers discovered the widespread impact of this vulnerability on data privacy.

The vulnerability is in an older version of the OpenSSL encryption routines used for secure web sessions. For example, when you go to your favorite banking or web email site, and after logging in, you see a padlock in the lower right corner. This “closed” padlock symbolizes that SSL (Secure Socket Layers) has initiated and secured a connection between your browser and the service you are connecting with to ensure nobody can intercept or monitor your communications. This is critical when filing taxes online, or sending private emails on Yahoo, or using cloud based file sharing services over a browser connection.

Without diving into the full details of the way the exploit works, in the simplest terms, this vulnerability allows a remote attacker to simply make a network connection to any remote system, and pull small chunks of data that is left in memory from the SSL session. While this does not mean that an attacker can pick and choose files from your system, it does mean that the kinds of information commonly found in memory are passwords, session IDs, encryption private keys and more. All of this of course is very sensitive information.

The biggest challenge here is that many consumers and corporate users recycle passwords and user names. User names are often their email address, and passwords often are re-used again and again, across all of their web services and web properties they access. So the challenge here is if an attacker is so lucky to collect one password for the online flower website they just purchased flowers on, chances are, that attacker will attempt to use that same user ID and password against mainstream email, financial, retail and services portals associated with that same user. 

The impact of the Heartbleed bug is global. It is as far reaching as any bug, as it affects hundreds of millions of online user accounts. Many researchers are advising to give a few more days until you attempt to change all of your online passwords. Why not sooner? Changing passwords when your systems and the services you connect to are still at risk of being vulnerable, is a wasted effort. By the end of this week, most of the online service providers you use will have all of their systems patched, most browsers will be updated and patched, and most smartphones and tablets will be secured. At that point, it will be highly recommended to change passwords. The best course of advice, check with your service provider such as your online banking website, or whatever your online service provider is, for when they give the "all clear" to reset passwords.

So what are the lessons here? Regardless if you are a member of a major corporation, a non-profit, or you are heading up a family of 3, it is the same advice. As a consumer or corporate user, you must practice implementing a new mindset around a password policy for yourself. Passwords and User IDs must be unique for each service and account you access. Passwords must not be personally tied to you in the sense that you should not have family names, or dates that are tied to you or family members. Rotating and refreshing these every 30 to 90 days is critical. This is called compartmentalizing the risk. The practice is used here so that if a password is compromised, only that one service is at risk, such as your online flower website. What is safe is, your personal banking, your company’s VPN password, your secure email passwords and more, all because you have maintained them separate.

In the corporate world, this can be greatly simplified through the use of Single Sign-On technologies that dozens of unique account credentials that would be hard to remember, and place them under one strong user ID and password that the employee can focus on remembering. For consumers, there are best practices around consumer oriented tools that can accomplish the same goal to help pull passwords together, but buyer be warned. For every one “reputable” product here worthy of storing your most sensitive information, there are 10 others that you should stay away from, as some even are malicious in nature designed to steal information – so be careful.

There are numerous online resources to help you research if your website is vulnerable, as well as many more security research articles that detail additional for administrators looking to remediate their websites.

For more information on how Oracle can help address your organizations needs around account provisioning, Single Sign-on and more, visit us at www.oracle.com/identity

Tuesday Jun 25, 2013

It's not just “Single Sign-on” by Steve Knott (aurionPro SENA)

It is true that Oracle Enterprise Single Sign-on (Oracle ESSO) started out as purely an application single sign-on tool but as we have seen in the previous articles in this series the product has matured into a suite of tools that can do more than just automated single sign-on and can also provide rapidly deployed, cost effective solution to many demanding password management problems.

In the last article of this series I would like to discuss three cases where customers faced password scenarios that required more than just single sign-on and how some of the less well known tools in the Oracle ESSO suite “kitbag” helped solve these challenges.

Case #1

One of the issues often faced by our customers is how to keep their applications compliant. I had a client who liked the idea of automated single sign-on for most of his applications but had a key requirement to actually increase the security for one specific SOX application. For the SOX application he wanted to secure access by using two-factor authentication with a smartcard. The problem was that the application did not support two-factor authentication. The solution was to use a feature from the Oracle ESSO suite called authentication manager. This feature enables you to have multiple authentication methods for the same user which in this case was a smartcard and the Windows password.  Within authentication manager each authenticator can be configured with a security grade so we gave the smartcard a high grade and the Windows password a normal grade. Security grading in Oracle ESSO can be configured on a per application basis so we set the SOX application to require the higher grade smartcard authenticator.

The end result for the user was that they enjoyed automated single sign-on for most of the applications apart from the SOX application. When the SOX application was launched, the user was required by ESSO to present their smartcard before being given access to the application.

Case #2

Another example solving compliance issues was in the case of a large energy company who had a number of core billing applications. New regulations required that users change their password regularly and use a complex password. The problem facing the customer was that the core billing applications did not have any native user password change functionality. The customer could not replace the core applications because of the cost and time required to re-develop them. With a reputation for innovation aurionPro SENA were approached to provide a solution to this problem using Oracle ESSO.

Oracle ESSO has a password expiry feature that can be triggered periodically based on the timestamp of the users’ last password creation therefore our strategy here was to leverage this feature to provide the password change experience. The trigger can launch an application change password event however in this scenario there was no native change password feature that could be launched therefore a “dummy” change password screen was created that could imitate the missing change password function and connect to the application database on behalf of the user.

Oracle ESSO was configured to trigger a change password event every 60 days. After this period if the user launched the application Oracle ESSO would detect the logon screen and invoke the password expiry feature. Oracle ESSO would trigger the “dummy screen,” detect it automatically as the application change password screen and insert a complex password on behalf of the user. After the password event had completed the user was logged on to the application with their new password. All this was provided at a fraction of the cost of re-developing the core applications.

Case #3

Recent popular initiatives such as the BYOD and working from home schemes bring with them many challenges in administering “unmanaged machines” and sometimes “unmanageable users.”

In a recent case, a client had a dispersed community of casual contractors who worked for the business using their own laptops to access applications. To improve security the around password management the security goal was to provision the passwords directly to these contractors. In a previous article we saw how Oracle ESSO has the capability to provision passwords through Provisioning Gateway but the challenge in this scenario was how to get the Oracle ESSO agent to the casual contractor on an unmanaged machine.

The answer was to use another tool in the suite, Oracle ESSO Anywhere. This component can compile the normal Oracle ESSO functionality into a deployment package that can be made available from a website in a similar way to a streamed application. The ESSO Anywhere agent does not actually install into the registry or program files but runs in a folder within the user’s profile therefore no local administrator rights are required for installation. The ESSO Anywhere package can also be configured to stay persistent or disable itself at the end of the user’s session.

In this case the user just needed to be told where the website package was located and download the package. Once the download was complete the agent started automatically and the user was provided with single sign-on to their applications without ever knowing the application passwords.

Finally, as we have seen in these series Oracle ESSO not only has great utilities in its own tool box but also has direct integration with Oracle Privileged Account Manager, Oracle Identity Manager and Oracle Access Manager. Integrated together with these tools provides a complete and complementary platform to address even the most complex identity and access management requirements.

So what next for Oracle ESSO?

“Agentless ESSO available in the cloud” – but that will be a subject for a future Oracle ESSO series!

                                                                                                                              

Tuesday Jun 18, 2013

The Keys to the Password Vault by Matthew Scott (aurionPro SENA)

Super user accounts are, unfortunately, a necessary evil. It’s just a fact of life in the IT industry that someone, somewhere, has to have the ability to make fundamental (and therefore potentially catastrophic!) changes to key systems.

One of my least favourite experiences as a consultant was gaining access to an account though a process that was reminiscent of a spy thriller  – the password was typed onto a card, which was cut in two, with each half stored in a separate safe and each key entrusted to a meticulous security officer. Navigating the procedures to get the halves together in time to be useful was a trial of persuasion and scheduling – I can see why Tom Cruise prefers to abseil in through the roof instead of filling in yet another form!

Compliance officers are increasingly scrutinising privileged accounts and the processes that control access to them – not surprisingly, since surveys have shown that up to a quarter of IT professionals have experienced misuse of such accounts, and almost half of all companies fail to manage these accounts in accordance with the law (http://www.computerweekly.com/news/2240111956/One-in-four-IT-security-staff-abuse-admin-rights-survey-shows). The results can be spectacular and sobering – the UBS trader Kweku Adoboli cost his company $2.3 billion after making disastrous trades using a privileged account which he was not authorised to use.

Thankfully, there is now a better way. As we’ve seen in this series, with the ESSO suite the technology exists to manage user passwords without the user having to actually ‘know’ that password. It is possible to extend this functionality to include those previously hard to manage privileged accounts by introducing Oracle Privileged Accounts Manager (OPAM). OPAM acts as a secure password vault for privileged accounts, but unlike other password vaults it can be connected directly to the ESSO Logon Manager agent so that passwords can be requested, obtained and used, all from the user’s desktop.

OPAM is particularly useful for companies with large, decentralised UNIX environments. We are currently engaged with a large financial organisation which has several hundred servers, with various distributions of Linux and UNIX that are managed by different teams. With OPAM, all those precious root accounts have for the first time been corralled together in one location, where they can be released as needed to any authorised user. OPAM is equally adept at managing identities stored in directories, including Windows service accounts within Active Directory.

To calm the fears of any compliance officers who may be reading these words nervously, it is possible to implement workflows to control the request process. This may include approvals from a higher authority, complete with email or mobile notifications to the approver. And of course ESSO and OPAM feature end-to-end audit trails – from request, to check out, to each use of the privileged account, through to check in. Tracking who has being doing what with each account has never been easier.

In addition to managing privileged accounts, the ESSO suite also allows users to distribute their personal accounts in a similar manner. Many of us have experienced the frustration of needing access to a system, a record or an email only to discover that the person with access is on holiday or otherwise unavailable. In extreme cases, this may require that the absent user’s Windows account be reset to allow another user to log on and gain access. ESSO’s Account Delegation allows these key users to pro-actively devolve their account credentials to another user for a set period – no passwords required!

Tuesday Jun 11, 2013

Achieving "Zero-Touch" Password Management by Steve Knott (aurionPro SENA)

Traditionally when a user is on-boarded into an organisation they are given a desktop password along with a whole host of other passwords to access the required business applications to enable them to do their job. Inevitably there will be numerous associated company information security policies that dictate that passwords should not be written down or shared with colleagues etc.

Trying to remember numerous passwords can be onerous on the end user at the best of times and can lead to a plethora of password sins committed by the end user. Whilst we can deploy some SSO technologies to relieve password fatigue, the on-boarding provisioning process often means that the user needs to know their passwords at some point – or do they?

I recently worked on a project at a leading engineering company who were in the process of deploying a large new ERP system. The end users were highly skilled engineers focusing on cutting edge technology but password security was not high on their list of priorities. Traditionally within the organisation, credentials for new applications were sent by email and sometimes they were communicated over the phone. Inevitably these were written down in text files and diaries or passwords were changed to be the same “pet’s name” type password for multiple applications.

This was a huge concern for the Chief Architect who wanted to remove end user password management and provide “zero touch” credential provisioning for the new ERP applications. He also wanted to satisfy auditing and compliance requirements by enforcing complex passwords whilst preventing unauthorised credential sharing. All this needed to be achieved without inconveniencing the users.

We discussed the tried and tested approach of using of a full blown identity management solution.  However, his response to this was that although wider identity management was on their long term roadmap, he had a hard deadline to deliver the ERP system within three months and with limited resources. With traditional user provisioning ‘out the window’ we had to come up with another approach.  Everyone would be using the new ERP system for their timesheets on the same day, and with any business impact due to unavailability therefore being potentially very significant, the customer couldn’t afford to have issues related to logging in.

One product that they already had licensed was the Oracle Enterprise Single Sign-on (ESSO) suite. Oracle ESSO is a well- known established product which provides single sign to any application at the desktop. Not so well known are the additional tools provided within the suite. One of these additional tools is Oracle ESSO Provisioning Gateway. Provisioning Gateway is a web based application that complements the other tools in the suite by enabling the provisioning of application credentials directly to the SSO agent without user interaction.

The Provisioning Gateway server exposes a web service interface that allows it to receive instructions submitted by any other provisioning server. Although Provisioning Gateway is more commonly deployed connected to an identity management system it does have command line interface (CLI) utilities supplied with the software. These utilities allow for scripted interactions with the Provision Gateway server including batch operations.

For this customer it was possible to export the user credential data out of the ERP system into a text-file format.  Then, armed only with the tools provided within the Oracle ESSO suite it was possible to script the provisioning of these user credentials in batches of 500-1000 to the Provisioning Gateway server. The server provisioned the credentials to the ESSO repository and the credentials were synchronised to the desktop SSO agent at user logon.

So far, so good.  At this stage, the users were still unaware that anything had happened.  The new ERP system wasn’t live yet, but in anticipation of its general release we now had each individual’s username and password ready to go in their SSO credential store – ready for first login.

For security reasons, the ERP system was configured to require a password change at first logon. Therefore, when the user launched the application for the first time on its launch date an application change password event was triggered. The Oracle ESSO agent was configured to recognise and respond to this change password event, automatically generating and inserting a new password leaving the user logged on with a new complex password. The end user did not know their password at any point of the on-boarding process or for subsequent logons.  Therefore the opportunity of sharing their logon details with colleagues was eliminated.  Furthermore, issues with the distribution of new passwords was avoided altogether.

The aurionPro SENA fast rollout template for Oracle ESSO enabled this customer to hit the implementation deadline of the ERP project and also address the security requirements of the organisation. ESSO Provisioning Gateway also has a management interface and this customer exploited this feature to allow the helpdesk team to apply the zero touch methodology to other applications.

As we discussed in the first blog (Putting the EASY into SSO) - Oracle ESSO provides more than just single sign-on to desktop applications.  Its use for zero-touch provisioning shows its versatility and that it can form a core part of an integrated identity and access management framework.  It’s not just a tactical tool for a single issue.  Stay tuned for next week’s blog in this series where we’ll be investigating the capabilities of Oracle ESSO still further.

Friday Feb 22, 2013

Globe Trotters Edition: SERPRO Implementation in LAD Takes Shape

SERPRO (Serviço Federal de Processamento de Dados) is the biggest public company to provide IT services in Brazil. Created in 1964 to modernize and to offer pace to the strategic sectors of the public administration, SERPRO is responsible for customer data security as well as for recommending best practices and developing programs and services that allow greater control and transparency on public revenue and expenses.

As the largest public IT services company in Brazil, SERPRO had exacting requirements for their identity management and security needs. After all, the company needed control over and insight into data access by users, such as customers (government entities) and citizens, and other groups, including public employees, taxpayers, the tax collection agency, and ministries. SEPRO also needed to create an environment that conformed to federal government security standards, such as Instruction GSI/PR no. 1 of June 13, 2008 and others as set by the Brazilian president’s institutional security cabinet.

The other requirements included the need to:

  • Standardize and organize access controls and identity management for employees and government entities that use the system to improve the provision of services across 60% of Brazil’s public administration, which needs to guarantee the availability, integrity, confidentiality and authenticity of the services and products it delivers to its customers
  • Unify and implement rigorous access controls for data related to government entities, employees, taxpayers, and ministries for the company’s 8,000 users to avoid unauthorized access
  • Automate account access revocation in case of employee vacation, termination, et al

After careful evaluation of available technologies, SERPRO selected and implemented Oracle Identity Manager (OIM). The implementation allowed the company to streamline the user administration process and have a single source of truth for all user access management records. Automated provisioning of user accounts eliminated administration overhead while automated deprovisioning and account linking significantly reduced security gaps from orphaned accounts or accounts created in manual errors. And of course, compliance being a key driver, the OIM implementation allowed SERPRO to manage and audit data access across all its user constituents.

For more information on SERPRO’s implementation and realized benefits, click here.

Monday Nov 05, 2012

Partner Blog Series: PwC Perspectives - Looking at R2 for Customer Organizations

Welcome to the first of our partner blog series. November Mondays are all about PricewaterhouseCoopers' perespective on Identity and R2. In this series, we have identity management experts from PricewaterhouseCoopers (PwC) share their perspective on (and experiences with) the recent identity management release, Oracle Identity Management R2. The purpose of the series is to discuss real world identity use cases that helped shape the innovations in the recent R2 release and the implementation strategies that customers are employing today with expertise from PwC.

Part 1: Looking at R2 for Customer Organizations

In this inaugural post, we will discuss some of the new features of the R2 release of Oracle Identity Manager that some of our customer organizations are implementing today and the business rationale for those.

Oracle's R2 Security portfolio represents a solid step forward for a platform that is already market-leading.  Prior to R2, Oracle was an industry titan in security with reliable products, expansive compatibility, and a large customer base.  Oracle has taken their identity platform to the next level in their latest version, R2.  The new features include a customizable UI, a request catalog, flexible security, and enhancements for its connectors, and more.

Oracle customers will be impressed by the new Oracle Identity Manager (OIM) business-friendly UI.  Without question, Oracle has invested significant time in responding to customer feedback about making access requests and related activities easier for non-IT users.  The flexibility to add information to screens, hide fields that are not important to a particular customer, and adjust web themes to suit a company's preference make Oracle's Identity Manager stand out among its peers.  Customers can also expect to carry UI configurations forward with minimal migration effort to future versions of OIM.  Oracle's flexible UI will benefit many organizations looking for a customized feel with out-of-the-box configurations.

Organizations looking to extend their services to end users will benefit significantly from new usability features like OIM’s ‘Catalog.’  Customers familiar with Oracle Identity Analytics' 'Glossary' feature will be able to relate to the concept.  It will enable Roles, Entitlements, Accounts, and Resources to be requested through the out-of-the-box UI.  This is an industry-changing feature as customers can make the process to request access easier than ever.  For additional ease of use, Oracle has introduced a shopping cart style request interface that further simplifies the experience for end users.  Common requests can be setup as profiles to save time.  All of this is combined with the approval workflow engine introduced in R1 that provides the flexibility customers need to meet their compliance requirements.

Enhanced security was also on the list of features Oracle wanted to deliver to its customers.  The new end-user UI provides additional granular access controls.  Common Help Desk use cases can be implemented with ease by updating the application profiles.  Access can be rolled out so that administrators can only manage a certain department or organization.  Further, OIM can be more easily configured to select which fields can be read-only vs. updated.  Finally, this security model can be used to limit search results for roles and entitlements intended for a particular department.  Every customer has a different need for access and OIM now matches this need with a flexible security model.

One of the important considerations when selecting an Identity Management platform is compatibility.  The number of supported platform connectors and how well it can integrate with non-supported platforms is a key consideration for selecting an identity suite.  Oracle has a long list of supported connectors.  When a customer has a requirement for a platform not on that list, Oracle has a solution too.  Oracle is introducing a simplified architecture called Identity Connector Framework (ICF), which holds the potential to simplify custom connectors.  Finally, Oracle has introduced a simplified process to profile new disconnected applications from the web browser.  This is a useful feature that enables administrators to profile applications quickly as well as empowering the application owner to fulfill requests from their web browser.  Support will still be available for connectors based on previous versions in R2.

Oracle Identity Manager's new R2 version has delivered many new features customers have been asking for.  Oracle has matured their platform with R2, making it a truly distinctive platform among its peers.

In our next post, expect a deep dive into use cases for a customer considering R2 as their new Enterprise identity solution. In the meantime, we look forward to hearing from you about the specific challenges you are facing and your experience in solving those.

Meet the Writers

Dharma Padala is a Director in the Advisory Security practice within PwC.  He has been implementing medium to large scale Identity Management solutions across multiple industries including utility, health care, entertainment, retail and financial sectors.   Dharma has 14 years of experience in delivering IT solutions out of which he has been implementing Identity Management solutions for the past 8 years.

Scott MacDonald is a Director in the Advisory Security practice within PwC.  He has consulted for several clients across multiple industries including financial services, health care, automotive and retail.   Scott has 10 years of experience in delivering Identity Management solutions.

John Misczak is a member of the Advisory Security practice within PwC.  He has experience implementing multiple Identity and Access Management solutions, specializing in Oracle Identity Manager and Business Process Engineering Language (BPEL).

Jenny (Xiao) Zhang is a member of the Advisory Security practice within PwC.  She has consulted across multiple industries including financial services, entertainment and retail. Jenny has three years of experience in delivering IT solutions out of which she has been implementing Identity Management solutions for the past one and a half years.

Praveen Krishna is a Manager in the Advisory  Security practice within PwC.  Over the last decade Praveen has helped clients plan, architect and implement Oracle identity solutions across diverse industries.  His experience includes delivering security across diverse topics like network, infrastructure, application and data where he brings a holistic point of view to problem solving.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today