Wednesday Apr 16, 2014

Management and Provisioning of Mobile Devices - Dave Smith

Today we will explore provisioning and device management. These weren’t always considered to be related topics, but in a bring-your-own-device (BYOD) world, there are new relationships to consider…!

 So what is a device…? In the context of the Internet of Things, it potentially refers to anything having an IP Address, such as an automobile, refrigerator, etc. In the context of mobile security, it refers to smartphones and tablets. The mobile device is the new channel to access corporate content, applications and systems, breaking free from the traditional model of using a desktop computer or laptop to access these assets.

 It should be no surprise that from the perspective of enterprise security, “device management” means controlling the device or better yet, controlling what corporate assets can be accessed from this device. In a BYOD world, employees bring their personal mobile devices into the workplace in order to more flexibly access corporate assets. The BYOD phenomena defines not only an architecture, but also a cultural shift and quite frankly, an expectation of users that their personal devices will continue to provide the experience they are accustomed to for other mobile apps. Device management, therefore, must be carefully deployed, since it has to not only provide easy and familiar access for employees’ devices, while at the same time, must do so without sacrificing corporate security by providing limitless access to corporate assets. While on the surface device management seems to be a device-centric approach, it actually needs to be user-centric.

 So what does provisioning mean to mobile devices? Provisioning means managing access. Often this is associated with managing access to application accounts – e.g. create, update, retrieve or delete of accounts or managing the privileges or entitlements granted through these accounts. However, when considering mobile devices and device management, provisioning must also refer to managing access from the user’s device to corporate assets (content, files/shares, applications, services). So, provisioning includes both digital (e.g. accounts and access) as well as physical access (e.g. enabling network access to corporate assets). Managing someone’s access by group or role (e.g. role-based access control, RBAC) is much more scalable and less brittle than managing access on an individual user-by-user basis.

 Provisioning access can be triggered by a number of factors. One is “birth right” access, based on a new hire event. Another is driven by requests for new access (e.g. similar to online shopping, but where the cart holds new entitlements). With the introduction of mobile devices, a third example describes managing the available catalog of mobile apps that a particular person can download to his/her device, ideally based upon his/her job and role within the company.

 Closely related to provisioning is de-provisioning, which is the removal of access. Historically, de-provisioning occurs when the person leaves the company or when they change jobs and no longer need access. In a BYOD world, de-provisioning must extend to the mobile apps running on the person’s enabled devices. Furthermore, given the fact that mobile devices can be more easily lost or stolen, mobile device management dictates that access has to be de-provisioned or blocked from the device, when the device itself has been compromised.

 In the next blog, we will take a look into the concept of “secure containers”, which are provisioned to the device as a key component to a successful BYOD strategy.

Thursday May 16, 2013

Oracle On Demand Provisioning Service

The growing number of business applications and services that employees need to access makes it increasingly difficult for organizations to create and remove accounts and privileges in a timely fashion, and keep track of everything for compliance purposes. Help-desk costs related to manual account administration and password reset also prove challenging.

To learn more how Oracle can help your organization deal with these challenges by reducing costs, decreasing exposure and risk, and improving IT efficiencies through Identity Management, download our data sheet on Oracle On Demand Provisioning Service

Wednesday Feb 27, 2013

User Management for Databases (UM4DB)

Author: Kevin Moulton

You are responsible for managing accounts in the databases. You have lots of databases from lots of vendors. Oracle Database, SQL Server, Sybase, DB2. You manage the DBAs, so you have to give them privileges. In turn, they grant privileges to the user community. Some applications are off the shelf, and others are home grown, but they all store data in one of your databases. Some store their users in a directory, some use a user table in a database, and some use standard database users. In other words, you have a management mess on your hands!

The IT department is implementing some kind of automation and workflow tool, and they tell you that managing the database users is on their roadmap, but it’s buried way down the list. Of course it is! IT is not responsible for the databases. You are!

Budgets are tight, and you’re not getting the headcount you need to manually create and manage users, maintain the databases, and troubleshoot application problems when users don’t see the data they expect. That shouldn’t even be your problem, but of course they come to your team for everything. The auditors are after you about your costly and inconsistent manual processes and lack of controls, and demanding that you bring your environment into compliance with SOX, PCI, HIPAA, or whatever. Your users have to remember a different password for every database. Your DBAs use shared accounts that everyone knows the password to, including about 10 people that don't even work there anymore, but you're afraid to change it because you don't know what might break.

So, what can you do?

Oracle User Management for Databases (UM4DB) could be exactly what you are looking for. Oracle UM4DB is simply components of the Oracle Identity Governance Suite configured specifically for managing your heterogeneous database environment.

UM4DB will allow you to automate the management of access to your databases. If a new user needs access to a database, that user or the user's manager would request access through a simple web GUI to a database or an application, and then the UM4DB connectors would create the required accounts with the appropriate privileges based on your rules. For compliance purposes, you could include a management approval step before access is granted.

You could even configure UM4DB to take a feed from HR, or take a feed from multiple sources of new employees and contractors, and then grant these users the access they require based on rules that you configure. In my experience, these rules are easy to create, because your DBAs have all of the rules in their heads. You just need to translate their experience into simple access rules. For example, a rule may be created where everyone in HR gets access to the employee database, along with certain roles they need.

Figure 1 End Users can request application access via a self-service GUI

Once these rules are in place, your auditors will be happy, because not only will the appropriate access to your databases and applications be granted automatically and consistently, but that access would be appropriately modified when that user's position changes, and taken away automatically when that user leaves your organization. This is the least privilege model you've always hoped for.

Reports within UM4DB will show you who has access to what, when they got it, who requested it, and who approved it. UM4DB could also be easily configured to perform recertification/attestation jobs at a frequency you determine, to make your auditors even happier. Your end users will be happier too, because UM4DB will maintain a record of all of the access they have, allowing them to change their password in one place. That password change would then be propagated to all of the databases they have access to. There go all of those annoying help desk calls. The days of your DBAs spending all of their time on account management and password resets are over! Don’t they have better things to do?

Your DBAs don’t need the headaches of user management, password management, and compliance. UM4DB can make them go away.

About the Writer:

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East Enterprise Security Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

Previous Posts from the Writer:

Grow your Business with Security

The Unintended Consequences of Sound Security Policy

Bang for the Buck

Wednesday Jan 09, 2013

Telenet uses Oracle Identity Management

The Company:

Founded in 1996, Telenet began as a European broadband services pioneer. Today, the company is a market leader in Belgium for residential high-speed internet, telephony, and digital television services. It serves 1.24 million digital television subscribers, 1.22 million internet customers, and 815,000 fixed telephony accounts. Telenet Solutions, the company’s business market division, offers a complete communications solutions portfolio for organizations and corporations, holding a commanding lead in the Belgian/Luxembourg business market.

Business Challenges:

  • Existing legacy identity management system required custom coding and was hard to maintain
  • Need to automate user provisioning for a dynamic workforce
  • Need to automate immediate revocation of user accounts on job changes to improve security
  • Wanted to accelerate the internal approval process for user access to business application
  • Build transparency and gain complete insight into who has access to what and when


Telenet implemented Oracle Identity Management to centralize identity management and security operations. Leveraging Oracle Identity Manager and Oracle Identity Analytics (part of Oracle Identity Governance Suite), Telenet managed to automate user account administration, streamline user access control, optimize license management and offer insight into who had access to what business applications.

For more information on Telenet’s implementation, check out the case study and the following video.

Tuesday Jan 08, 2013

2012: No Time To REST For The Holidays

Author: Phil Hunt

This past year has been one of the biggest years of change I've seen in a while. It started off with the expected priority of delivering and using cloud based services at the top of everyone's mind. However, it soon became apparent that the usual way of delivering services (e.g. ones based on SOAP) was not what was going to make that happen. It is now apparent that cloud hosted services will be largely be based on REST and JSON. A monumental change in service architecture being driven by the market…

Emergence of REST-based Cloud

Today's REST services are incredibly lightweight with the coupling of HTTP and JSON rather then on XML and SOAP. The powerful combination REST and JSON are seen as light weight, and particularly easy-to-use for the expanding universe of mobile devices (iPads, and smart phones) to support. Still, if you think this REST is flash in the pan, check out the growth in REST has had over the past couple of years. See Craig Burton's post on the API Economy here:

The impact on service architecture will be quite substantial. REST changes how services architectures are delivered in many ways. Instead of being process oriented as often seen in SOAP based services, REST services are all "resource" oriented (set independentid's password to 'x'). Unlike SOAP, REST uses simple object state representations (resources) accessible via URLs. So, for example, a "ChangePassword" service now becomes a simple "set password attribute on resource abc123". While this is simple, for the client application, the implications are significant. What of password policy, what of workflow and validation? Somewhere behind that simple "set password attribute" command a lot still has to happen.

Fat Apps are now Phat!

Another major trend is to supplement browser based applications with fat applications running on desktops and mobile phones (remember "fat apps" in the 80s and 90s?). It is with some irony that Web 3 is not about the browser at all, but rather it is about the interconnection of applications (e.g. Facebook, Flickr) that are identity centric. 

Web applications in the cloud are also acting as a kind of super-connected REST-based applications, providing aggregation and interconnection of services owned by users. Starting from social networks, new networks are forming such as loyalty networks (credit card, air, banking), travel networks, and even financial networks are now emerging linking personal data to provide value-added services. 

Web 3 Drives Forward A New Authorization Model: OAuth2

With the emergence of Web 3 applications, there has been a corresponding need for many applications to ask users for their user-ids and passwords so that they can access user controlled resources from other companies. As more inter-connectial social network services (e.g. Google Docs, Flickr, Facebook, Twitter) started to emerge, it became clear over the past few years that the "password anti-pattern" would have to be eliminated. As a result, a new web authorization/delegation protocol emerged called OAuth2 (now standardized a IETF RFC 6749). OAuth2 provides a way to cleanly separate user-authentication, from user-authorization, allowing client applications to use authorization tokens to access web resources on a user's behalf.

OAuth2 has gone through quite a colorful evolution within the IETF. But I have to say a mark of its importance, has been the extremely broad collaborative development from participants that are web service providers as well as middleware vendors. As the protocol matured through extensive implementation, I had the honor of co-authoring the security considerations and producing an OAuth2 Threat Model document that will serve to give both implementers and deployers of OAuth2 an incredible amount of detail on how to secure and configure this protocol in the many different authorization scenarios it can support.

Is SAML Dead or Just Starting?

Craig Burton made headlines last summer with his declaration that "SAML is dead" at the Cloud Identity Summit in July ( ). Was he being controversial?  Sure. But his point of view comes from the fact that while SAML is grows slowly along with SOAP, REST by contrast is taking off for the moon! 

So, do I agree REST and OAuth eliminate the need for SAML? The answer is no. In fact the opposite. While OAuth2 issues authorization tokens, OAuth2 still depends on traditional federation, web SSO, and other classic methods of authentication to take place before OAuth2 can issue tokens. Not only is SAML needed to authenticate federated users, SAML is now also being used to authenticate the new client applications. I blogged on this very topic early on in 2011:

Provisioning to the Cloud

The final big development last year, was the emergence of SCIM for cloud provisioning. With all these new business cloud providers emerging, it became critical to find a way to easily provision 10s of thousands of users quickly. When you contract for services with a cloud service provider, SCIM's goal is to help you get your employees and customers provisioned.

Looking Forward - The Emergence of  the Identity Cloud and the Interop language

Whether Oracle, Cisco, Facebook, Google, Microsoft, SFDC, or Yahoo, one thing that all service providers seem to be developing is some notion of a cloud directory (aka Graph API). Cloud directories are somewhat different than classic enterprise LDAP Directory in that they are currently custom built to support key major corporate applications first, and then evolve to support mergers of other acquired services over time. Some of these directories are based on SQL databases, some based on NOSQL, some based on other custom built data stores.  While all support REST APIs, currently no two cloud directories support a standard access protocol at this time. Two possible candidates for RESTful standardization at this time are: SCIM and OpenID Connect.  The choice of SCIM seems like a natural one as it supports create, read, update operations much like LDAP. While OpenID Connect gives access to user-authentication and session management data, it seems its identity profile duplicates the features found in SCIM.  How this plays out depends on how much data applications will choose to store in cloud directories.  

Yet to be sorted out in 2013 is what will be the key protocols and standards around cloud directories. Will they be built on the old LDAP model? Or will they support the more expressive SCIM schema? In the universe of inter-connected RESTful services, the role of standardized, interoperable schema is vital. Who needs to inter-operate with whom? Does a service provider adapt to each client, or do clients adapt to service providers. Or, like air traffic control systems that all standardized on English, will cloud directories adopt one standard schema that every one maps to?

About the Writer:

Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at and is active on Twitter (@independentid).

Tuesday Feb 07, 2012

Oracle Named a Leader in both User Provisioning and Identity and Access Governance

Oracle Identity Management solutions were positioned in the Leaders quadrants, in the two recently published Gartner Magic Quadrant reports. This post is the first in a series of multi-part blog discussion, and over the course of next few weeks, we’d be covering details on what we believe make Oracle’s User Provisioning (Identity Administration) solution, Oracle Identity Manager and our Identity and Access Governance solution, Oracle Identity Analytics truly unique and industry leading.

Gartner published their first-ever Magic Quadrant for Identity and Access Governance and Oracle is a leader.

Source: Gartner Magic Quadrant for Identity and Access Management, Dec. 15, 2011. Doc ID#223606. Authors: Earl Perkins and Perry Carpenter. Page 3

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available by clicking on the note title. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Identity and Access Governance solutions offer business users identity analytics and reports to address governance, audit and compliance challenges. According to Gartner, leaders in Identity and Access Governance (IAG) are “composed of vendors that provide products with a good functional match to client requirements for establishing a governance system for access. These vendors have been successful in building an installed base and revenue stream within the IAG market, and have a relatively high viability rating (because of IAG revenue). Leaders also show evidence of superior vision and execution for anticipated requirements, as they relate to technology, methodology or means of delivery. Leaders typically have significant market share, strong revenue growth, and demonstrated early customer satisfaction with IAG capabilities and/or related service and support.”

Oracle Identity Analytics is an advanced Identity and Access Governance solution from Oracle offering rich analytics, prioritized risk scoring, business-friendly dashboards, and advanced compliance features that monitor, analyze, review, and govern user access to mitigate risk, build transparency and satisfy compliance mandates.

The key challenge we often hear organizations talk about is scaling the compliance processes. Performing access certifications across not a handful but 100s of applications requires not just an automated solution but a powerful (but business friendly) process engine solution powered by analytics to make sense of all the data. To make it a real world discussion rather than a theoretical one, join ING and Oracle on a live webcast:  Scaling Role Management and Access Certification to Thousands of Applications on Wednesday, April 11, 2012 10:00 AM PDT where ING discusses how they successfully tackled the scale challenge.

Close on its heels, Gartner also published its 2011 Magic Quadrant for User Provisioning and Oracle is a Leader.

Source: Gartner Magic Quadrant for User Administration/Provisioning, Dec. 22, 2011. ID# G00219354. Authors: Perry Carpenter and Earl Perkins. Page 4

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available by clicking on the note title. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Two things are clear with these reports. Organizations are looking at integrated, platform solutions to meet their audit and compliance needs. Platform approach is the only viable approach to close security and audit gaps, reduce TCO and derive the complete picture. And we believe with Oracle’s positioning in the leaders quadrant for both User Provisioning and Identity and Access Governance, organizations are assured that they are not only getting the complete solution but also best-in-class, backed by a strategic vision and strong executive commitment. Seamless integration with Oracle Identity Manager 11g makes Oracle Identity Analytics 11g industry's only access governance solution to offer an accurate closed-loop remediation solution with risk feedback calculated over a user’s lifecycle as actionable insight for certification reviews. To get customers’ perspectives on the implementation and results from the platform approach, we recommend you look at our monthly webcast series on the subject:

Customers Talk: Identity as a Platform.

If you are looking at user provisioning and/or compliance solutions, we suggest you start by downloading these analyst reports and our recently issued press release on the subject. For more information on Oracle’s platform approach to Identity Management and to learn more about our best-in-class Identity Management solutions, visit us at or contact us via our online communities: Facebook, Blog and Twitter.

You may also find the following resources helpful:

Ongoing Webcast Series: Customers Talks: Oracle Identity Management as a Platform

ISACA Webcast: Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics

Customer stories: Tackling Compliance Challenges with Oracle Identity Analytics

What’s New in Oracle Identity Manager 11g

Friday Dec 02, 2011

Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics – Q&A Follow-Up

Thanks to all who attended the live webcast event hosted by Healthcare IT News. Hope you find the discussion and the presentations useful; we look forward to a continued conversation.

Compliance in healthcare has always been an active discussion in the identity management industry and here at Oracle too. So, we were very pleased when Jason W. Zellmer, Director, Strategy and Information Management at Kaiser Permanente Information Security agreed to be on a live panel discussion with us to share his experiences and insights with his peers. Especially after having had a similar role in a financial services organization in the past, his commentary on how acute identity management and compliance needs are in a healthcare organization like Kaiser Permanente was particularly insightful. The live event also allowed us to bring in experts from Kaiser’s identity management implementation partner, PricewaterhouseCoopers as well as Oracle’s own solution expert to provide a 360-degrees perspective on healthcare compliance solution design and implementation for healthcare organizations.

The on-demand webcast replay is now available and so are the slides for download. And, since we didn’t have time to address all the questions we received during the live Q&A portion of the webcast, we have captured responses to the remaining questions here. Please continue to provide us your feedback and insights from your experience in deploying identity compliance solutions.

Q. Could you brief about the OOTB component in ERP for managing SOD checks and how this is effective in the context of integrating with OIM and OIA?

A. Oracle Identity Manager (OIM) and Oracle Identity Analytics (OIA) work seamlessly with OOTB ERP SOD engines like Oracle Applications Access Control Governor (OAACG) to enable both preventative SOD (and IT policy monitoring) checks during the user provisioning process as well as detective and remedial SOD actions.

Q. How are Oracle IDM products flexible with the changing compliance requirements if any?

A. As compliance regulations continue to evolve, standards-based, open Oracle Identity Management solutions allow you to easily configure your workflows in accordance with the changing requirements. And since Oracle Identity Management solutions allow you to externalize security from applications and provide a centralized security platform, organizations can easily adapt to the changing regulatory and compliance landscape without having to rip and replace existing solutions.

Q. Where did you get the 48% IAM cost reduction and 80% productivity boost from?

A. Recently Aberdeen Research conducted a survey comparing cost savings from Platform vs. Point solutions in identity Management and found that organizations choosing products from an integrated stack can save up to 48% long term and achieve better automation and lower administrative costs. Please refer to the Aberdeen paper available for download. The 80% user productivity boost was determined based on the benchmark study conducted for the latest release of Oracle Identity Analytics 11g. Please refer to the recent announcement of availability of enhanced Oracle Identity Analytics.

Q. You referred to an ROI study on Identity Analytics and a model for computing compliance cost savings. Where can I find more information?

A. Forrester Consulting recently conducted a study where they interviewed 4 organizations that had deployed Oracle Identity Analytics to understand the various use cases, cost implications and the results from their respective implementations. Based on these actual studies, Forrester then built an ROI model and calculated aggregated savings for a typical organization. We recommend you refer to the Forrester Study on Total Economic Impact of Oracle Identity Analytics. For an in-person discussion, please email Richard Caldwell.

Thursday Nov 03, 2011

2011 Innovation Award Winners - Identity Management

The winners of 2011 Innovation Awards were announced last month during Oracle OpenWorld. The Award recognizes customers for achieving significant business value through innovative uses of Oracle Fusion Middleware.  For Identity Management, that meant deriving and proving exceptional business value, delivering architecture innovation, solving unique challenges and driving industry leadership. With over 20 nominations this year, the panelists had a difficult task ahead of them. One thing was certain though, the winners would be great examples of excepetional use of cutting-edge Identity Management solutions.

This year's winners demonstrated new ways of leveraging cloud and social environments to enhance customer interaction and service levels as well as building business intelligence from IT data to empower business and support management decisions. We congratulate the winners of 2011 Innovation Awards for Identity Management:

ING North America Insurance

Looking to streamline the access certification processes for in-time compliance and manage the complexity of user identity administration, ING North America Insurance implemented Oracle Identity Analytics and Oracle Identity Manager. A combination of detailed planning, close collaboration with Oracle and its implementation partner, and the use of advanced industry solutions allowed ING to achieve its compliance and governance goals. In addition, with business friendly reports and actionable insight, ING's implementation empowered business and offered greater transparency. The team was also able to clearly define, measure and present success metrics to the business.

College Board

With over 50 identity stores and multiple point solutions including some custom technologies, the organization found integrating applications and extending the identity management platform to be complex, time-consuming, costly and unscalable. The approach also left security gaps. To tackle these inefficiencies and unnecessary overhead, College Board started with the implementation of Oracle Identity and Access Management Suite Plus. Not only was the organization looking to seamlessly replace the old, non-standard custom system with a centralized, integrated, standards-based platform, College Board was also looking to leverage social media with the enterprise environment. The innovative integration with Oracle Identity Manager and Oracle Identity Federation allows the organization to reach millions of potential users via social media and offer advanced services to the users using federated login. The use of Oracle Access Manager and Oracle Directory Services enable secure authentication services for College Board's users.


A subsidiary of Turk Telecom, TTNET serves over 6.5 million subscribers across Turkey, providing high technology broadband and other value-added services (VAS). TTNET's VAS are different web applications (each with their own authentication server and user repositories) and technologies coming from 10 different partners. Providing a seamless experience to the customer, thus, became a challenge. Lack of a common authentication platform also left security gaps. With the implementation of Oracle Identity and Access Management Suite Plus, TTNET launched its "Tek Sifre" (One Password) project VAS, providing its subscriber base unified single sign-on with secure and standard authentication and user administration in the background. Now, the customers can use secure single sign-on while the company leverages a standards based user access management and identity adminsitration platform for identity management and compliance, SLA reporting.


Here is a great example of cloud-based Identity-as-a-Service implementation. The company wanted to enforce and streamline user access compliance and automate user provisioning but without having the burden to maintain the infrastructure in-house. So, leveraging Oracle Identity Manager and Oracle Identity Analytics technologies via Simeio Solution's DirectAXS offering, the company was able to achieve its compliance, security and user productivity goals. The implementation benefits included streamlined and automated user provisioning, complete with audit trails and efficient access certification with complete view of user privileges and advanced detection and remediation of ghost accounts.

For information on the winners of the Fusion Middleware Awards for 2011, visit:


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« June 2016