Thursday Dec 06, 2012

Tackling Security and Compliance Barriers with a Platform Approach to IDM: Featuring SuperValu

On October 25, 2012 ISACA and Oracle sponsored a webcast discussing how SUPERVALU has embraced the platform approach to IDM.  Scott Bonnell, Sr. Director of Product Management at Oracle, and Phil Black, Security Director for IAM at SUPERVALU discussed how a platform strategy could be used to formulate an upgrade plan for a large SUN IDM installation.

See the webcast replay here: ISACA Webcast Replay (Requires Internet Explorer or Chrome)

Some of the main points discussed in the webcast include:

  • Getting support for an upgrade project by aligning with corporate initiatives
  • How to leverage an existing IDM investment while planning for future growth
  • How SUN and Oracle IDM architectures can be used in a coexistance strategy
  • Advantages of a rationalized, modern, IDM Platform architecture


Monday Nov 12, 2012

Partner Blog Series: PwC Perspectives Part 2 - Jumpstarting your IAM program with R2

Identity and access management (IAM) isn’t a new concept. Over the past decade, companies have begun to address identity management through a variety of solutions that have primarily focused on provisioning. . The new age workforce is converging at a rapid pace with ever increasing demand to use diverse portfolio of applications and systems to interact and interface with their peers in the industry and customers alike. Oracle has taken a significant leap with their release of Identity and Access Management 11gR2 towards enabling this global workforce to conduct their business in a secure, efficient and effective manner.

As companies deal with IAM business drivers, it becomes immediately apparent that holistic, rather than piecemeal, approaches better address their needs. When planning an enterprise-wide IAM solution, the first step is to create a common framework that serves as the foundation on which to build the cost, compliance and business process efficiencies. As a leading industry practice, IAM should be established on a foundation of accurate data for identity management, making this data available in a uniform manner to downstream applications and processes. Mature organizations are looking beyond IAM’s basic benefits to harness more advanced capabilities in user lifecycle management.

For any organization looking to embark on an IAM initiative, consider the following use cases in managing and administering user access.

Expanding the Enterprise Provisioning Footprint

Almost all organizations have some helpdesk resources tied up in handling access requests from users, a distraction from their core job of handling problem tickets. This dependency has mushroomed from the traditional acceptance of provisioning solutions integrating and addressing only a portion of applications in the heterogeneous landscape

Oracle Identity Manager (OIM) 11gR2 solves this problem by offering integration with third party ticketing systems as “disconnected applications”. It allows for the existing business processes to be seamlessly integrated into the system and tracked throughout its lifecycle. With minimal effort and analysis, an organization can begin integrating OIM with groups or applications that are involved with manually intensive access provisioning and de-provisioning activities. This aspect of OIM allows organizations to on-board applications and associated business processes quickly using out of box templates and frameworks. This is especially important for organizations looking to fold in users and resources from mergers and acquisitions.

Simplifying Access Requests

Organizations looking to implement access request solutions often find it challenging to get their users to accept and adopt the new processes.. So, how do we improve the user experience, make it intuitive and personalized and yet simplify the user access process?

With R2, OIM helps organizations alleviate the challenge by placing the most used functionality front and centre in the new user request interface. Roles, application accounts, and entitlements can all be found in the same interface as catalog items, giving business users a single location to go to whenever they need to initiate, approve or track a request.

Furthermore, if a particular item is not relevant to a user’s job function or area inside the organization, it can be hidden so as to not overwhelm or confuse the user with superfluous options. The ability to customize the user interface to suit your needs helps in exercising the business rules effectively and avoiding access proliferation within the organization.

Saving Time with Templates

A typical use case that is most beneficial to business users is flexibility to place, edit, and withdraw requests based on changing circumstances and business needs. With OIM R2, multiple catalog items can now be added and removed from the shopping cart, an ecommerce paradigm that many users are already familiar with. This feature can be especially useful when setting up a large number of new employees or granting existing department or group access to a newly integrated application.

Additionally, users can create their own shopping cart templates in order to complete subsequent requests more quickly. This feature saves the user from having to search for and select items all over again if a request is similar to a previous one.

Advanced Delegated Administration

A key feature of any provisioning solution should be to empower each business unit in managing their own access requests. By bringing administration closer to the user, you improve user productivity, enable efficiency and alleviate the administration overhead. To do so requires a federated services model so that the business units capable of shouldering the onus of user life cycle management of their business users can be enabled to do so.

OIM 11gR2 offers advanced administrative options for creating, managing and controlling business logic and workflows through easy to use administrative interface and tools that can be exposed to delegated business administrators. For example, these business administrators can establish or modify how certain requests and operations should be handled within their business unit based on a number of attributes ranging from the type of request or the risk level of the individual items requested.

Closed-Loop Remediation

Security continues to be a major concern for most organizations. Identity management solutions bolster security by ensuring only the right users have the right access to the right resources. To prevent unauthorized access and where it already exists, the ability to detect and remediate it, are key requirements of an enterprise-grade proven solution. But the challenge with most solutions today is that some of this information still exists in silos. And when changes are made to systems directly, not all information is captured.

With R2, oracle is offering a comprehensive Identity Governance solution that our customer organizations are leveraging for closed loop remediation that allows for an automated way for administrators to revoke unauthorized access. The change is automatically captured and the action noted for continued management.


While implementing provisioning solutions, it is important to keep the near term and the long term goals in mind. The provisioning solution should always be a part of a larger security and identity management program but with the ability to seamlessly integrate not only with the company’s infrastructure but also have the ability to leverage the information, business models compiled and used by the other identity management solutions. This allows organizations to reduce the cost of ownership, close security gaps and leverage the existing infrastructure. And having done so a multiple clients’ sites, this is the approach we recommend.

In our next post, we will take a journey through our experiences of advising clients looking to upgrade to R2 from a previous version or migrating from a different solution.

Meet the Writers:


Praveen Krishna is a Manager in the Advisory Security practice within PwC.  Over the last decade Praveen has helped clients plan, architect and implement Oracle identity solutions across diverse industries.  His experience includes delivering security across diverse topics like network, infrastructure, application and data where he brings a holistic point of view to problem solving.

Dharma Padala is a Director in the Advisory Security practice within PwC.  He has been implementing medium to large scale Identity Management solutions across multiple industries including utility, health care, entertainment, retail and financial sectors.   Dharma has 14 years of experience in delivering IT solutions out of which he has been implementing Identity Management solutions for the past 8 years.

Scott MacDonald is a Director in the Advisory Security practice within PwC.  He has consulted for several clients across multiple industries including financial services, health care, automotive and retail.   Scott has 10 years of experience in delivering Identity Management solutions.

John Misczak is a member of the Advisory Security practice within PwC.  He has experience implementing multiple Identity and Access Management solutions, specializing in Oracle Identity Manager and Business Process Engineering Language (BPEL).

Jenny (Xiao) Zhang is a member of the Advisory Security practice within PwC.  She has consulted across multiple industries including financial services, entertainment and retail. Jenny has three years of experience in delivering IT solutions out of which she has been implementing Identity Management solutions for the past one and a half years.

Tuesday Sep 04, 2012

ISACA Webcast follow up: Managing High Risk Access and Compliance with a Platform Approach to Privileged Account Management

Last week we presented how Oracle Privileged Account Manager (OPAM) could be used to manage high risk, privileged accounts.  If you missed the webcast, here is a link to the replay: ISACA replay archive (NOTE: you will need to use Internet Explorer to view the archive)

For those of you that did join us on the call, you will know that I only had a little bit of time for Q&A, and was only able to answer a few of the questions that came in.  So I wanted to devote this blog to answering the outstanding questions.  Here they are.

1. Can OPAM track admin or DBA activity details during a password check-out session?

Oracle Audit Vault is monitoring these activities which can be correlated to check-out events.

2. How would OPAM handle simultaneous requests?

OPAM can be configured to allow for shared passwords.  By default sharing is turned off.

3. How long are the passwords valid?  Are the admins required to manually check them in?

Password expiration can be configured and set in the password policy according to your corporate standards.  You can specify if you want forced check-in or not.

4. Can 2-factor authentication be used with OPAM?

Yes - 2-factor integration with OPAM is provided by integration with Oracle Access Manager, and Oracle Adaptive Access Manager.

5. How do you control access to OPAM to ensure that OPAM admins don't override the functionality to access privileged accounts?

OPAM provides separation of duties by using Admin Roles to manage access to targets and privileged accounts and to control which operations admins can perform.

6. How and where are the passwords stored in OPAM?

OPAM uses Oracle Platform Security Services (OPSS) Credential Store Framework (CSF) to securely store passwords.  This is the same system used by Oracle Applications.

7. Does OPAM support hierarchical/level based privileges?  Is the log maintained for independent review/audit?

Yes. OPAM uses the Fusion Middleware (FMW) Audit Framework to store all OPAM related events in a dedicated audit database.

 8. Does OPAM support emergency access in the case where approvers are not available until later?

Yes.  OPAM can be configured to release a password under a "break-glass" emergency scenario.

9. Does OPAM work with AIX?

Yes supported UNIX version are listed in the "certified component section" of the UNIX connector guide at:

10. Does OPAM integrate with Sun Identity Manager?

Yes.  OPAM can be integrated with SIM using the REST  APIs.  OPAM has direct integration with Oracle Identity Manager 11gR2.

11. Is OPAM available today and what does it cost?

Yes.  OPAM is available now.  Ask your Oracle Account Manager for pricing.

12. Can OPAM be used in SAP environments?

Yes, supported SAP version are listed in the "certified component section" of the SAP  connector guide here:

13. How would this product integrate, if at all, with access to a particular field in the DB that need additional security such as SSN's?

OPAM can work with DB Vault and DB Firewall to provide the fine grained access control for databases.

14. Is VM supported?

As a deployment platform Oracle VM is supported. For further details about supported Virtualization Technologies see Oracle Fusion Middleware Supported System configurations here:

15. Where did this (OPAM) technology come from?

OPAM was built by Oracle Engineering.

16. Are all Linux flavors supported?  How about BSD?

BSD is not supported. For supported UNIX version see the "certified component section" of the UNIX connector guide

17. What happens if users don't check passwords in at the end of a work task?

In OPAM a time frame can be defined how long a password can be checked out. The security admin can force a check-in at any given time.

18. is MySQL supported?

Yes, supported DB version are listed in the "certified component section" of the DB connector guide here:

19. What happens when OPAM crashes and you need to use the password?

OPAM can be configured for high availability, but if required, OPAM data can be backed up/recovered.  See the OPAM admin guide.

20. Is OPAM Standalone product or does it leverage other components from IDM?

OPAM can be run stand-alone, but will also leverage other IDM components

Tuesday Jun 12, 2012

Identity Management as a Controls Infrastructure

Identity systems are indispensable to managing online resources, and are becoming increasingly more complex as businesses adapt their current infrastructures to support a broad user population across a wide range of devices. Adding point products to solve problems addresses the short term need, but complicates the longer term management outlook.

Download the latest whitepaper HERE to see how Oracle is taking a platform approach to building a scalable and secure controls infrastructure that enables businesses to engage customers and gives employees secure access to corporate resources from anywhere.

Thursday May 31, 2012

The Business Case for a Platform Approach

Most customers have assembled a collection of Identity Management products over time, as they have reacted to industry regulations, compliance mandates and security threats, typically selecting best of breed products.  The resulting infrastructure is a patchwork of systems that has served the short term IDM goals, but is overly complex, hard to manage and cannot scale to meets the needs of the future social/mobile enterprise.

The solution is to rethink Identity Management as a Platform, rather than individual products. Aberdeen Research has shown that taking a vendor integrated platform approach to Identity Management can reduce cost, make your IT organization more responsive to the needs of a changing business environment, and reduce audit deficiencies. 

View the slide show below to see how companies like Agilent, Cisco, ING Bank and Toyota have all built the business case and embraced the Oracle Identity Management Platform approach.

Wednesday Feb 22, 2012

Immersion in Identity Talks Tomorrow (Feb 23)

If Identity Management is top of mind for you then we have a healthy dose of Identity talks lined up for you tomorrow (Thursday, February 23).

IOUG Webcast: Analyzing Identity as a Platform Approach

Thursday, February 23, 12p EST/11a CST/9a PST

Join Michael Neuenschwander, a well known name in the industry and Senior Director, Oracle Identity Management, on an IOUG webcast to discuss Identity as a Platform approach. Hear first-hand Mike's take on the Platform approach, the rationale behind the same and the results from a study conducted on the subject.

Register to catch the webcast live tomorrow.

And then, right after the IOUG webcast, we have got a live webcast lined up for the Higher Ed industry. 

Live Webcast: Managing Identities and Roles in Higher Education

Thursday, February 23,  1p EST/12p CST/10a PST

At Oracle, we understand that higher education’s environment can be one of the most complex and dynamic environments for managing identities. There are many individuals coming and leaving each semester. Many individuals have more than one responsibility at the same time (Professor, Student, Researcher, Employee etc). These factors present a unique challenge in how to accurately determine what a users role should be so that least privilege security can be obtained and in doing so, regulatory compliance and security requirements can be fulfilled. An intelligent identity analytics solution is the answer.

Join the webcast tomorrow and you'll learn how Oracle Identity Analytics is already playing a crucial role in helping higher ed organizations achieve their security and compliance objectives. Learn the key capabilities required of an identity analytics solution that can help you scale your compliance across your entire IT infrastructure (on premise or in the cloud) in a cost effective manner. This webcast will feature Neil Gandhi, Principal Product Manager at Oracle.

Register today for the live webcast.

Wednesday Feb 15, 2012

An IOUG Webcast and Michael Neuenschwander Make a Good Combination

Since the Aberdeen study came out about Analyzing Platform versus Point Solution Approach in Identity Management, there has been much talk on the subject. And that’s great news! The Aberdeen report was based on a survey of over 150 organizations across industry from all over the world. And since then, we have had multiple organizations also discuss their reasons for and results from implementing a platform solution and the case for a platform approach has been stronger than ever.

As some of you may know, we have recently had Michael Neuenschwander join the Oracle Identity Management team. That’s a familiar name for most in Security and Identity Management. Michael has joined Oracle as Senior Director of Product Management for Oracle's Identity Management solutions, responsible for product strategy and direction. Previously, Mike was a Senior Manager with the Accenture Information Security Practice. A recognized thought leader in the identity industry, perhaps most of us know Mike’s work as Research Director for Burton Group's Identity and Privacy Strategies Service.

Given Mike’s vast experience in Identity Management and Security and his dealings with organizations struggling to solve their security and compliance challenges, we are so excited that not only are we able to leverage his expertise and knowledge to make our solutions even better but also that we get to share his perspectives and experience via various forums like this upcoming IOUG webcast.

Please join us on this webcast to hear Mike’s take on the discussion of Platform versus Point Solution approach in Identity Management. This is also a great opportunity to get your questions answered live by Michael Neuenschwander. We look forward to a great discussion. Here are the webcast and registration details:

IOUG Webcast: Analyzing Platform Approach for Identity Management

with Michael Neuenschwander, Senior Director, Oracle Identity Management
Thursday, February 23, 2012 at 12 pm Eastern/ 9 am Pacific
Register Today



Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016