Friday Feb 27, 2015

New eBook: Establishing a Mobile Security Architecture

Today, just as organizations are starting  to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave of mobility as a new generation of devices and applications are coming online to take advantage of these new capabilities in today’s corporate environments.

"Establishing a Mobile Security Architecture" provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to better understand the best application of technologies for each area of mobility within your organization and how to reduce risk, then download this free copy of  "Establishing a Mobile Security Architecture".

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Register now for your free copy of the "Establishing a Mobile Security Architecture" eBook.

Thursday Feb 19, 2015

Look, Puppies! And Other Stories from the Utility Industry’s Digital Transformation

The digital revolution is creating abundance in almost every industry—turning spare bedrooms into hotel rooms, low-occupancy commuter vehicles into taxi services, and free time into freelance time. This abundance is delivered on mobile devices. One industry, however, is using mobile apps to help its customers do less.

The utility industry is using smartphones to help its customers conserve energy in their daily lives by tapping into smart meters.

The results can be powerful. Armed with information from smart meters, consumers can reduce their energy bill by 20 percent. Using the dishwasher at 12 a.m., for example, will cost less than running it after dinner when everyone else is doing the same. To provide a wider economic lens, if only 10 percent of American households reduced energy consumption by 26 percent, the excess energy could power 2.8 million homes or reduce energy bills by US$4 billion annually.

In Belgium, smartphones and tablets provided a ubiquitous platform to deploy energy-saving applications. So Electrabel, Belgium’s largest energy company, launched a campaign to provide smart boxes, smart thermostats, and smart plugs that would allow homeowners to view power usage and control appliances from their mobile devices. A great idea! But how to make it all secure?  

Providing digital access to all of the appliances in someone’s home requires rethinking security: Which users in the household would be allowed to control the devices? How can the utility company detect fraud and take corrective action? With all of these devices online, how can the utility company manage access by administrators? How can it enable consumers with simple services like password reset and profile changes? Not surprisingly, 40 percent of the attacks on the energy and utilities sector have come in the form of web application attacks.

To keep its smart meter and mobile services from going to the dogs, Electrabel used Oracle’s security solutions. You can read about Electrabel’s implementation in Oracle Magazine, along with another interesting use case at Vodafone Group.

Electrabel was so confident in its solution that it launched a puppy-heavy national ad campaign to encourage participation. Here are more puppies. Need more? Here.

Stories like Electrabel’s are only the beginning. Cisco estimates that by 2020, there will be 50 billion devices on the planet and, according to the report, 69 percent of the value will be people-centric communication, which makes the Electrabel story that much more important—because the interaction between devices and people will rely on similar security processes.

Some estimates show that the smart home market will double by 2018. Like Electrabel, the industry must do the work to keep criminals from hacking these applications and stealing personal data—or even worse, using these services as an entry point to cause potentially catastrophic failures like the attacks against SCADA systems.

Building security into new services is critical for the utilities industry—just as it will be for every business embarking on a digital transformation.

Wednesday Feb 18, 2015

ISACA Webcast Replay - Manage, Monitor & Audit the Mobile User

The greatest threat of a data breach –intentional or not - continues to be from employees, contractors and partners – people you are supposed to be able to trust. On February 12th, Oracle presented to ISACA members on the critical nature of establishing policies, technology and best practices to manage, monitor and audit the use of mobile devices as part of a larger Identity Management strategy.

Our presenter was Mark Wilcox, who is a Senior Principal Product Manager at Oracle. Leveraging his 20 years of experience in the computing industry and the Identity and Access space, Mark delivered a very focused session on best practices and industry guidance that would benefit any organization evaluating their mobile strategy.   Please click on the following link to replay the event from February 12th, 2015.

For more information on ISACA, and how they can support you on a student, professional or academic level, please visit them on their website at www.isaca.org  or directly on their Membership Page

Replay Webcast Here


Thursday Jan 08, 2015

Shoulder Surfed by a Kid: Why cruel and unusual mobile security policies compromise security…

Author: Clayton Donley, Vice President of Product Management, Oracle Identity Management & Mobile Security.

“Thank you for your purchase of Mojo! Your credit card has been billed $19.95.”

As I leaned back and reviewed my morning email on my iPad, I was surprised to see a receipt for a purchase of something called Mojo. However, it quickly dawned on me exactly what it was and how this had happened.

You see, for a few weeks my son had been playing a free-to-play game on his iPad. In this game, there was a virtual currency called Mojo. He had been asking for me to spend real money to buy some of this virtual currency and I had spent an equal amount of time denying this request. So when the receipt landed in my inbox, I knew exactly what it was and who did it. What I didn’t know was how he had managed to make the purchase.

My iTunes password had lower and upper characters, a special character, no dictionary words, and a number. I wasn’t using it on any other site and hadn’t even given it to my wife.

What I had done was type it on my iPad that morning before I left for work, allowing each character of the password to echo on the screen as I typed it.

Apparently, a properly motivated 9-year-old (at the time) can easily watch these characters echo over your shoulder and enter them later on their own device.

What if this was an Enterprise Password?

Many companies still use login/password to access corporate VPNs and business applications.

Imagine that you work for one of these companies and visit a conference or trade show and that you have decided check a file share, CRM application, or wiki using your mobile device.

You pull out your device, unlock it, and launch the application. Usually you’ve entered at least two layers of passwords by this point (perhaps using your fingerprint or swiping rather than entering a PIN to unlock your device).

While the device unlock is important, it requires that someone actually have your device to make it useful. The second sequence, where you connect to your corporate network (or cloud provider) is much more interesting. This is where you go from giving someone access to 32GB of data on your phone to countless terabytes stored in your enterprise.

If your organization hasn’t put into place one-time tokens or two-factor authentication, you’ve potentially given a motivated attacker an easy way to get access to your network. It’s much easier to watch your screen echo your password than it ever was to watch you touch-type your password.

Where some organizations get things exceptionally wrong is by enforcing even more frequent policies on authentication when coming from a mobile device. The idea is that because devices can more easily lost or stolen, it’s ideal to request users re-authenticate frequently to prove that they are still in control of the device.

This particularly cruel and unusual policy not only degrades user experience and encourages people to choose easier-to-type passwords, but also subjects these passwords to more frequent exposure.

Fortunately there are better security policies and better software to make those policies work well.

What Actually Works?

The easiest solution to this problem is to use the device itself as an authentication factor. This means that a hacker needs both my password and the device in order to login. This can be as simple as device fingerprinting and as complicated as leveraging digital certificates.

An even better solution is to move away from using any passwords in the first place, leveraging PKI and other established technology to handle the authentication between the device and the service, while using emerging technology like containerization to ensure that only appropriate applications on the device can leverage that session.

With employees bringing their own devices to work in BYOD programs, it’s very important to take an approach that focuses on applications, rather than devices. Over-hardening security at the device-level (e.g. even just to play Angry Birds), rather than just stepping up authentication when it is really needed (e.g. to view customer data), over-exposes credentials and gives users incentives to work around the inconvenience of security.

What about the Young Hacker?

With no shortage of hidden pride (and considering his promising future black hat career working with the LizardSquad and CryptoWall teams), I let my son know that he wasn’t allowed to do this sort of thing anymore.

Within a few days he proceeded to get my next few passwords, but “only used them to get free apps”. At this point I gave up.

About the Author


Clayton Donley is the Vice President of Product Management for Oracle’s Identity Management and Mobile Security products.
You can follow Clayton on Twitter at @cdonley.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Monday Nov 24, 2014

Gartner Identity & Access Management Summit, Dec 2-4, 2014 w. Amit Jasuja

Register Now for Gartner Identity and Access Management Summit, Dec 2-4, 2014


Join Platinum Sponsor Oracle in at Caesar's Palace Las Vegas
Oracle Session
: Revolution or Evolution: Unlocking The Potential of The New Digital Economy
Speaker: Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle
Oracle Session Schedule: Tuesday, December 2, 2014 - 10:45 a.m. – 11:30 a.m - Octavius 22

Abstract: As organizations consume an increasing number of mobile and cloud apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud. This presentation explores how organizations are using Identity Management to give users access to all their data from any device while providing an intelligent centralized view into user access rights across mobile, cloud and enterprise environments. See how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Visit the Oracle Platinum Sponsor Booth
Attendees can meet with Oracle Solution experts and discuss how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Demos will Showcase:

Identity Governance
Given the state of our economy these days, with high number of data breaches and unauthorized access to sensitive information assets, it is no wonder this is one of the biggest threats an organization is concerned with these days. Ensuring proper vetted access and visibility into highly privileged accounts and entitlements is critical to ensuring a sound security practice.

This demo showcases Oracle’s Identity Management Solution, highlighting the differentiated value proposition of an integrated and converged Identity Governance, Access Management and Privileged Accounts Management approach.

We will show the following capabilities:

  • Self Service Access Request
  • Integrated OIM Catalog with OPAM entitlements
  • Multi approval workflow with temporal grants and authorizations
  • 2-Factor authentication with Oracle Mobile Authenticator
  • Recording of a privileged access (Windows session recording)
  • Execution of a certification campaign with both normal and privileged entitlements
Mobile & Cloud Access Management
  • Unified Self Service Console and Delegated Admin Console (OIG) extended to Mobile
    • App and device level policies, app inventory
    • View user, request for roles and invite user to register device
    • Automated device configuration and Secure Workspace app installation
    • Data leakage prevention policies
  • Application access via Secure Workspace
    • Show applications being provisioned as part of the role assignment above. This would also include link to the IdaaS portal in the secure workspace.
    • Click on the link and you are Single Sign on to the IdaaS portal.
  • Cloud Application access scenarios in IdaaS:
    • Access Document Cloud Service – Simple Federated SSO.
    • Access Fusion HCM and be prompted for a 2 factor auth using OMA.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow the Identity Management blog.

Sunday Nov 09, 2014

Oracle at Gartner Identity and Access Management Summit - Dec 2nd - 4th, 2014 in Las Vegas

Join Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle, at the Gartner Identity and Access Management Summit running from December 2nd to 4th, 2014, at which Oracle is proud to be a Platinum sponsor.

Oracle Session: Revolution or Evolution: Unlocking The Potential of The New Digital Economy
Speaker: Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle
Oracle Session Schedule: Tuesday, December 2, 2014 - 10:45 a.m. – 11:30 a.m - Octavius 22
Abstract: As organizations consume an increasing number of mobile and cloud apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud. This presentation explores how organizations are using Identity Management to give users access to all their data from any device while providing an intelligent centralized view into user access rights across mobile, cloud and enterprise environments. See how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Booth
Attendees can meet with Oracle Solution experts and discuss how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Demos will Showcase:

Identity Governance
Given the state of our economy these days, with high number of data breaches and unauthorized access to sensitive information assets, it is no wonder this is one of the biggest threats an organization is concerned with these days. Ensuring proper vetted access and visibility into highly privileged accounts and entitlements is critical to ensuring a sound security practice.

This demo showcases Oracle’s Identity Management Solution, highlighting the differentiated value proposition of an integrated and converged Identity Governance, Access Management and Privileged Accounts Management approach.

We will show the following capabilities:

  • Self Service Access Request
  • Integrated OIM Catalog with OPAM entitlements
  • Multi approval workflow with temporal grants and authorizations
  • 2-Factor authentication with Oracle Mobile Authenticator
  • Recording of a privileged access (Windows session recording)
  • Execution of a certification campaign with both normal and privileged entitlements
Mobile & Cloud Access Management
  • Unified Self Service Console and Delegated Admin Console (OIG) extended to Mobile
    • App and device level policies, app inventory
    • View user, request for roles and invite user to register device
    • Automated device configuration and Secure Workspace app installation
    • Data leakage prevention policies
  • Application access via Secure Workspace
    • Show applications being provisioned as part of the role assignment above. This would also include link to the IdaaS portal in the secure workspace.
    • Click on the link and you are Single Sign on to the IdaaS portal.
  • Cloud Application access scenarios in IdaaS:
    • Access Document Cloud Service – Simple Federated SSO.
    • Access Fusion HCM and be prompted for a 2 factor auth using OMA.

Register Now for Gartner Identity and Access Management Summit 2014. We hope to see you there!

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow the Identity Management blog.

Tuesday Sep 23, 2014

Pre-Registration Now Open for eBook: Oracle Mobile Security Primer

Today, just as organizations are starting   to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave as new generation devices and applications are coming online to take advantage of these new capabilities in today’s corporate environment.

Pre-Registration has just opened for the new eBook: Oracle Mobile Security Primer which provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to stay up on the latest trends around mobile security, then pre-register for this new eBook: Oracle Mobile Security Primer.

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Registration will allow Oracle to provide notification to you upon its availability in both eBook and printed form by McGraw-Hill.

www.mhprofessional.com/mobsec

Thursday Jun 12, 2014

BYOD is not a fashion statement; it’s an architectural shift - by Indus Khaitan

Ten years ago, if you asked a CIO, “how mobile is your enterprise?”. The answer would be, “100%, we give Blackberry to all our employees.”

Few things have changed since then:

1.    Smartphone form-factors have matured, especially after the launch of iPhone.
2.    Rapid growth of productivity applications and services that enable creation and consumption of digital content
3.    Pervasive mobile data connectivity

There are two threads emerging from the change. Users are rapidly mingling their personas of an individual as well as an employee. In the first second, posting a picture of a fancy dinner on Facebook, to creating an expense report for the same meal on the mobile device.

Irrespective of the dual persona, a user’s personal and corporate lives intermingle freely on a single hardware and more often than not, it’s an employees personal smartphone being used for everything.
A BYOD program enables IT to “control” an employee owned device, while enabling productivity. More often than not the objective of BYOD programs are financial; instead of the organization, an employee pays for it.  More than a fancy device, BYOD initiatives have become sort of fashion statement, of corporate productivity, of letting employees be in-charge and a show of corporate empathy to not force an archaic form-factor in a world of new device launches every month.

BYOD is no longer a means of effectively moving expense dollars and support costs. It does not matter who owns the device, it has to be protected.  BYOD brings an architectural shift.  BYOD is an architecture, which assumes that every device is vulnerable, not just what your employees have brought but what organizations have purchased for their employees. It's an architecture, which forces us to rethink how to provide productivity without comprising security.

Why assume that every device is vulnerable?

Mobile operating systems are rapidly evolving with leading upgrade announcement every other month. It is impossible for IT to catch-up. More than that, user’s are savvier than earlier.  While IT could install locks at the doors to prevent intruders, it may degrade productivity—which incentivizes user’s to bypass restrictions. A rapidly evolving mobile ecosystem have moving parts which are vulnerable.

Hence, creating a mobile security platform, which uses the fundamental blocks of BYOD architecture such as identity defragmentation, IT control and data isolation, ensures that the sprawl of corporate data is contained.

In the next post, we’ll dig deeper into the BYOD architecture.

Friday May 09, 2014

Three User Friendly Strategies for BYOD Security

For most CIO's, securing corporate data on mobile devices is top of mind. With enterprises producing more data than ever before in human history, much of that data will be accessible via mobile devices and mobile applications. In fact, studies suggest that 80% of enterprise access will be via mobile devices by 2020 vs. just 5% today. Amit Jasuja's recent article on the Forbes Oracle Voice, discusses three strategies for CIO's that can reduce the risk and simplify the user experience.

Monday May 05, 2014

Is Mobility Creating New Identity and Access Challenges? - by Marcel Rizcallah

Are mobile, social, big data and cloud services generating new Identity and Access Management challenges? Guest blogger Marcel Rizcallah is the EMEA Domain Leader for Security at Oracle Consulting and today will highlight some of the new IAM challenges faced by customers with Cloud services and Mobile applications.

Sales force users ask more often for iPad or mobile devices to access Cloud services, such as CRM applications. A typical requirement is to use an AD or corporate directory account to login seamlessly into the Cloud service, either with a web browser or a downloaded application on a device. The benefits, compared to a different login/password provided by the Cloud provider, is more security and better identity governance for their organization; password policy is enforced, CRM services are granted to sales people only and Cloud accounts are de-provisioned immediately when people leave.

Integrating a mobile device browser with the intranet is easily addressed with federation solutions using the SAML standard. The user provides his login and password only once and tools such as Oracle Mobile Security Suite and Oracle Access Manager provide the end-to-end integration with the corporate directory.

Authenticating through a downloaded application provided by the Cloud service may be more complex; the user authenticates locally and the device application checks first the credentials in the cloud environment. The credentials are relayed to the organization’s intranet using REST services or standards such as SAML to validate the credentials.

Integrating IAM services between SaaS applications in the Cloud and the corporate intranet may lead to a weird situation. Let’s look at this example: one of my customers discovered that their CRM SaaS application, provided by a public Cloud environment, was supposed to be SAML compliant, yet did not correctly generate one of the SAML messages when authenticating through a downloaded application on the device. Despite all parties agreeing that this is a bug, fixing the Cloud application was not an option because of the possible impact on millions of Cloud customers. On the other hand, changing the Oracle Access Manager product, fully compliant to SAML 2.0, was not an option either. The short term solution would be to build a custom credential validation plug-in in Oracle Access Manager or an integration tool, such as Oracle API Gateway to transform the wrong message on the fly! Of course this should not stay a long term solution!

When we ask customers which SSO or Identity Governance services are the priority for integrating Cloud SaaS applications with their intranet, most of them says it’s SSO. Actually SSO is more urgent because users want to access Cloud services seamlessly from the intranet. But that’s the visible part of the iceberg; if Cloud accounts are not aligned to employees referential or sales force users, customers will end up paying more license fees to the Cloud provider than needed. SSO with Oracle Access Manager will improve customer experience, but cloud provisioning / de-provisioning with Oracle Identity Governance will optimize Cloud costs.

Use the following links to learn more about Oracle IDM products and Oracle Consulting Services for IDM.

Wednesday Apr 30, 2014

Identity Enabling Mobile Security - by Suresh Sridharan

Smart Connected Device Growth: The growth of smartphones and tablet devices has been phenomenal over the past 4 years. Global smartphone shipments have grown extensively from approximately 100m units in 2010 to 725m units in 2012, reaching 1b devices in January 2014. Simultaneously, tablet shipments have grown from 5m units in 2010 to approximately 125m units in 2012. Tablet numbers are likely to touch 400m units by 2017.

This explosion in the shipment of smart connected devices has also led to a significant change in users’ behavior and expectations.

In a corporate environment, the phenomenon of Bring Your Own Device (BYOD) is gaining momentum. Gartner predicts that 38% of all organizations will have an “all BYOD” policy by 2016, up from 6% today (2014). If the same device is being used for both personal and work purposes, users will expect the same experience across corporate and personal apps. Further, employees regularly use similar apps for both business and personal purposes examples include: WhatsApp, Skype and Facebook..

Mobile devices present benefits both for organizations and for individuals. Surveys show that a BYOD policy helps employee gain an extra 37 minutes of productive time every week. To increase sales productivity, some of our customers are mobile-enabling sales teams to ensure that they have access to the latest information when they meet with customers.

Security is one of the most significant mobile device challenges both for consumers and for enterprises. Although mobile-commerce is growing rapidly (to $25b in the US alone), 60% all retail transactions that get to the checkout stage are abandoned with security as one of the main causes, according to recent data.

As corporate data on the device co-mingles with user data on a personal device, it becomes challenging for enterprises to impose restrictions on the use of devices. About 40% of adults do not protect their smartphones with a passcode, with married adults that number goes up to 45%.
In order to address security challenges, IT should be able to define and enforce policies that meet security and privacy standards to protect intellectual property, other corporate assets and optionally, personal employee data.

There are three things to consider while implementing security in the new mobile age:

  1. Implement a strong identity management system that allows one to manage users and ensure that they are able to access information based on the principle of least privilege to carry out the necessary tasks.
  2. Implement an access management solution to secure data based on who is accessing it and the risk profile of that specific transaction.
  3. Implement a mobile security solution that will help secure data on the device and ensure corporate security policies are enforced on the device from which assets are being accessed.

In essence, organizations need to ensure that application data is secured based on the user accessing it and the device and location from which it is being secured. Securing the device and the user identity, in isolation, is not sufficient.

Wednesday Apr 16, 2014

Management and Provisioning of Mobile Devices - Dave Smith

Today we will explore provisioning and device management. These weren’t always considered to be related topics, but in a bring-your-own-device (BYOD) world, there are new relationships to consider…!

 So what is a device…? In the context of the Internet of Things, it potentially refers to anything having an IP Address, such as an automobile, refrigerator, etc. In the context of mobile security, it refers to smartphones and tablets. The mobile device is the new channel to access corporate content, applications and systems, breaking free from the traditional model of using a desktop computer or laptop to access these assets.

 It should be no surprise that from the perspective of enterprise security, “device management” means controlling the device or better yet, controlling what corporate assets can be accessed from this device. In a BYOD world, employees bring their personal mobile devices into the workplace in order to more flexibly access corporate assets. The BYOD phenomena defines not only an architecture, but also a cultural shift and quite frankly, an expectation of users that their personal devices will continue to provide the experience they are accustomed to for other mobile apps. Device management, therefore, must be carefully deployed, since it has to not only provide easy and familiar access for employees’ devices, while at the same time, must do so without sacrificing corporate security by providing limitless access to corporate assets. While on the surface device management seems to be a device-centric approach, it actually needs to be user-centric.

 So what does provisioning mean to mobile devices? Provisioning means managing access. Often this is associated with managing access to application accounts – e.g. create, update, retrieve or delete of accounts or managing the privileges or entitlements granted through these accounts. However, when considering mobile devices and device management, provisioning must also refer to managing access from the user’s device to corporate assets (content, files/shares, applications, services). So, provisioning includes both digital (e.g. accounts and access) as well as physical access (e.g. enabling network access to corporate assets). Managing someone’s access by group or role (e.g. role-based access control, RBAC) is much more scalable and less brittle than managing access on an individual user-by-user basis.

 Provisioning access can be triggered by a number of factors. One is “birth right” access, based on a new hire event. Another is driven by requests for new access (e.g. similar to online shopping, but where the cart holds new entitlements). With the introduction of mobile devices, a third example describes managing the available catalog of mobile apps that a particular person can download to his/her device, ideally based upon his/her job and role within the company.

 Closely related to provisioning is de-provisioning, which is the removal of access. Historically, de-provisioning occurs when the person leaves the company or when they change jobs and no longer need access. In a BYOD world, de-provisioning must extend to the mobile apps running on the person’s enabled devices. Furthermore, given the fact that mobile devices can be more easily lost or stolen, mobile device management dictates that access has to be de-provisioned or blocked from the device, when the device itself has been compromised.

 In the next blog, we will take a look into the concept of “secure containers”, which are provisioned to the device as a key component to a successful BYOD strategy.

Wednesday Apr 02, 2014

Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements - by Matt Flynn

Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.

Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.

In the MDM model, employees relinquished control of their devices to their employer. Big brother knew what was installed, how the devices were used, what data was on the device, and MDM gave organizations full control to wipe device data at-will. As a result, many people chose to carry two devices; one for personal use and the other for work. As device manufacturers dramatically improved products every six months, people quickly began using personal devices as the primary communication mechanism and work devices as-needed to perform certain tasks. It also drove people to insecurely send work data to personal devices for convenience increasing the risk of data loss. For these reasons and with the upswing of BYOD, MDM has been relegated to playing a supporting role in Enterprise Mobile Security.

Mobile Application Management (MAM) has emerged as a better alternative to MDM in the world of BYOD. MAM solutions create a secure mechanism for employees to interact with corporate data and apps without infringing upon personal apps and data. With MAM, organizations can control application and data access, how data is used on mobile devices, and to enable new mobile access scenarios without compromising security. MAM embraces the BYOD movement and encourages employee mobility while also locking down data, reducing exposure, and responding more efficiently to compliance mandates about how data is used. But MAM isn’t the end of the story.

Mobile access isn’t much different than other types of access. It’s just another access point that should be part of an Enterprise Access Management approach. Securing access via mobile devices shouldn’t require an entirely separate technology silo, another set of management interfaces, and yet another point of integration for corporate Access Governance. Also, most MAM solutions fall short on a variety of use-cases. By rationalizing MAM into an enterprise Access Management approach, organizations gain extremely valuable capabilities that are otherwise unavailable in MAM solutions alone.

For example, MAM-type on-device virtual workspace approaches don’t work very well in B2C scenarios where apps are delivered via well-known public app stores. Nor do they make sense from a user experience perspective in those scenarios. Also, for advanced Access Management scenarios such as risk-based transaction authorization, integrating basic app security with back-end adaptive access solutions provides extremely compelling benefits. With apps looking to leverage modern protocols such as REST to access legacy system data, there are benefit from Access Management infrastructure such as API Gateways that provide those services. Providing support for these advanced scenarios in a solution that provides a single point of management, single infrastructure, and unified audit trail is where Mobile security is heading.

Next generation mobile security solutions will see MDM and MAM features integrated into more traditional and enterprise-centric Access Management solutions. This single platform approach simplifies management, reduces cost, and enables an improved user experience. But more importantly, incorporating the capabilities of a robust Access Management platform opens new avenues through which to do business and engage with customers, partners, and the extended community. Oracle has a focus on providing exactly this kind of integrated and consolidated approach to securing the mobile platform through securing the device, applications and the access with the Oracle Mobile Security Suite.

In our next post in this series, we’ll look at the various deployment phases through which cloud technologies are being adopted by increasingly mobile workforces starting with cloud-based file sharing services.

Wednesday Mar 26, 2014

Multi Channel Architecture & Securing The Mobile Channel - by Ricardo Diaz

This brand NEW series from Oracle's Global Sales Support team will be dive into mobile security risks, dissect MDM, MAM and changes in the wind, device management, fraud, secure containers, extending IdM to mobile, application development and much more.

Multi-Channel Architecture (MCA) projects are trans-formative business trends brought on by I.T. modernization initiatives across industries.  As these customer, partner, vendor or employee channel's technology evolve to meet today's new business opportunities, security and privacy risks have never been greater.  Especially, the Mobile Channel.         


Let's look at one of my favorite industry's multi-channel architectures, BANKING, and why securing the mobile channel is a quickly becoming a priority for businesses globally.

A banks channels, ATM, Branches, Online, IVR, POS, PSE and Mobile, all need air tight information protection policy and rock solid security/privacy controls.  The Mobile channel on the surface, looms as the 800 pound gorilla in the room with many bank enterprise security architects because mobile security, to many, is so new.  In reality, with he right technology partner it doesn’t have to be. 

One of interesting and risky trend I noticed  working with Colombia, Mexico and Australia banks and their MCA projects is where the mobile application development group sits in the enterprise org.  These critical development teams were sitting outside of I.T. !  NO governance.  Weak security.  They did this to speed the development process of their apps.  I get it but this is a good example of what probably is more common than you'd think when it comes to the risks of mobile application development.   So is bringing these development teams under the I.T. umbrella going to secure their apps?  Not necessarily but his type of security challenge highlights the need for not just a good mobile security solution but one that isn't bound by organizational or political barriers.  All these MCA Banking projects had this challenge as a key business driver for a robust secure mobile channel.  Take a look INSIDE your organization.   Is security ubiquitous within your mobile business channel? Are short cuts being taken to speed up development and meet business demand?  Can you extend your enterprise security policy to these mobile devices if these apps were not built to your corporate enterprise architecture or security standard?

In the next GSS blog, we will highlight how the MDM/MAM space has evolved and why these technologies are part of the mobile security answer but not the final answer.

Wednesday Feb 26, 2014

Announcing Oracle Mobile Security Suite: Secure Deployment of Applications and Access for Mobile

Today, Oracle has announced a new offering, Oracle Mobile Security Suite, which will provide access to sensitive applications and data on personal or corporate owned devices.  This new offering will give enterprises unparalleled capabilities in how they contain, control and enhance the mobile experience.


A great deal of effort has been placed into analyzing how corporations are leveraging the mobile platform today, as well as how they will use this platform in the future. Corporate IT has spoken loud and clear of the challenges they face around lengthy provisioning times for access to applications and services, as well as the need for managing the increased usage of applications.  Recent industry reports show how significant the risks can be.  1 A detailed assessment of one of the most popular application marketplaces shows that 100% of the top 100 paid apps have some form of rogue variant posted within the same marketplace. As credential theft is on the rise, one of the targets this is being achieved is on the mobile device with rogue apps or Malware with embedded keystroke recorders or collection tools that send back other critical data from the device.

One of the great new features of the Oracle Mobile Security Suite (OMSS)  is through the use of containers.  Containers allow OMSS to create a secure workspace within the device, where corporate applications, email, data and more can reside. This workspace utilizes its own secure communications back to the back end cloud or corporate systems, independent of VPN.  This means that corporate information is maintained and managed separate of the personal content on the device giving end users the added flexibility of using personal devices without impacting the corporate workspace.  Remote wipe of data now doesn't impact the entire device, rather, only the contents of the corporate workspace.  New policies and changes in access and applications can be applied whenever a user authenticates into their workspace, without having to rebuild or re-wrap any applications in the process, unlike other offerings.  This is a very unique approach for Oracle.

More details on this new release at  http://www.oracle.com/us/corporate/press/2157116

Rounding out this offering, are capabilities that enable the complete end to end provisioning of access, Single Sign-on within the container, enterprise app store and much more.  

Technical Whitepaper: Extending Enterprise Access and Governance with Oracle Mobile Security

For the latest information on Oracle's Mobile Strategy, please visit the Oracle Mobile Security Suite product page, or check back for upcoming Mobile Security postings on the Oracle IDM blog page this March. 

1 2013 X-Force Internet Threat Report


Tuesday Dec 31, 2013

MDM + Oracle Fusion in the Cloud - Simeio Solutions

Introduction
In the previous posts in this series of blog posts, we covered many concepts, from Mobile Device Enablement, BYOD, Mobile Device Management (MDM), Mobile Application Containerization & Mobile Identity Management. While the focus on all the prior series were around the pro’s and con’s and best practices, we would like to take a detour in the conclusive post of this series and focus on  the cloud and how it co-relates to the “mobile” landscape.

BYOD, MDM and Cloud Computing by themselves are technologies that are becoming an integral part of the IT landscape at a rapid pace. While organizations have invested in infrastructures that allow their employees to work remotely via technologies like VPN, the technology stack in the advent of the MDM / BYOD age needs to extend to allowing for remote access via these mobile devices too.

Cloud Computing
In the information era, innovative concepts come along and emerge as a new trend. Not all trends are made equal. Cloud Computing is one such term that has not just emerged as a trend, but has enabled technology to take a leap forward in terms of  scale and usability. It has taken a quantum leap forward in terms of ambition. As with most technologies, there are many benefits that can be gained, but along with understanding the benefits, the business risks must also be evaluated.  While evaluating such benefits, it’s important to not just look at the short term benefits but also the long term objectives and goals of an organizations strategy.

What Is Cloud Computing
The definition of the term is just one of many that we have been introduced with in the industry. But what does it actually mean? Let’s take a brief look at a few definitions of the term:

Wikipedia: “Cloud computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network such as the Internet”

NIST: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared  pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released  with minimal management effort or service provider interaction”.

Merriam-Webster: “The practice of storing regularly used computer data on multiple servers that can be accessed through the Internet”.

For Dummies : “The “cloud” in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service”.

Before we provide you any more references to confuse you further, let’s take a pause here. We cited the top 3 sources of references. And each have their own variation of the definition. So which definition is more apt? Do they all mean something different or do they all mean the same? The short answer is, they are all the same. Any which way you read it, it translates to “cloud computing” being a model. A model that has certain characteristics.

The characteristics of a cloud network essentially are it being an on demand service, ability to scale to exponential proportions at a rapid pace, the ability to aggregate and resources from across multiple platforms and the ability of it being measurable.

The four fundamental deployment models of a cloud service are a public cloud, a private cloud and a hybrid cloud. Where the terms public private by themselves are indicative of its use, and the term hybrid as it’s itself definition goes is an amalgamation of the 2 models.

BYOD in the Cloud:
BYOD’s success is equivalently proportional to the variety of devices and platforms that it introduces to the IT systems. For organizations that are proponents of the BYOD ideology, the key factor that determines the ease of onboarding of users onto the corporate network is the use of Virtual Private Networking (VPN) technology. Enabling users to tunnel into the network via VPN allows organizations to enable their user to access files and/or control the applications on local machines that they require for their daily routines regardless of the platform or device they are using or their location as long as they are connected to the cloud.

Therefore, it is imperative that cloud connectivity plays an important role in enabling such access across platform or device agnostic systems.  BYOD needs to be part of a wider, holistic approach to Cloud computing.

Now take into account the general Cloud options. The problem with this is that you can lose control of the data while not losing responsibility for it. You don’t even know where it is. At a technical level, this might not be important; however at a legal and regulative level it definitely is. Moreover, your only ultimate control over your own data is your contract with the Cloud provider - and if the provider fails, contracts are no substitute for data.

The BYOD concept is evolving very quickly and the changes are influencing "how enterprises have adopted this technology" vary considerably. They are forcing IT section chiefs to think more intrusively and acquire tools to control this situation without restricting the end user experience. MDM or Mobile Device Management is one such very handy tool but as BYOD concept continues to spread, businesses would require many other services in integration with MDM. Two of such services are Mobile Device Management (MDM) and Content Management.

MDM in the Cloud:
Cloud based device management doesn't minimize application or operating system bloat but what it does do is leverage the Internet's bandwidth for delivery, monitoring and metering. If an organization is geographically dispersed and diverse, cloud based MDM becomes a necessity rather than a requirement. A smart way to setup a cloud based MDM solution is to place the organizations asset management system in the cloud and allow the processes to take place via user's personal bandwidth. It's kind of an extension of BYOD but in this case it's BYOB, where the "B" is bandwidth.

By using an employee's personal bandwidth for that "last mile" leg of the delivery process, the corporate network's bandwidth, even on a segregated network, remains available for monitoring, operating system delivery, server patching, administration, and other required maintenance activities.

Cloud-based MDM will be most effective with user devices, which will always outnumber data centered ones. User devices burn up the bandwidth due to the sheer numbers of them.

When we refer to MDM in the cloud, a key issue that pops into mind is “security”. Arguably the greatest challenge faced by organizations embracing BYOD is that of security; ensuring that personal devices aren't compromised in themselves and don't pose a security threat to the rest of the network. Allowing BYODs introduces many more vulnerabilities at various steps in the network and so there are many ways in which these risks can and need to be addressed.

The first step is to reduce the risk of the personal device being compromised in the first place. This is particularly pertinent where employees are bringing their own device in to connect to the businesses LAN. To achieve this, some organizations have conditions of use which require that the user's device has specific anti-virus and management software installed before it can be allowed onto the network. However, the risks can also be reduced by ensuring that personal devices are only allowed to connect to the local network via a VPN rather than a direct connection, even when the user is on site.

Using a VPN is a must for users in remote locations as the secure tunnel of a VPN prevents any information being intercepted in transit. It can be tempting for employees working off-site (or even on site) on personal devices to email documents, for example, backwards and forwards but the security of such communications can never be guaranteed.

What's more that approach requires that at least some work data is stored locally on the personal device - a cardinal sin in terms of data protection. Again both VPNs and cloud solutions can negate the need to store local data. Using a VPN will allow the worker to operate on the local network, accessing, working on and storing everything they need on there, rather than on their own device. Secure cloud services on the other hand can be used to provide collaborative workspaces where users perform all their work in the cloud so that colleagues, wherever they are, can access it. However care should be taken to check the security measures used by cloud providers before signing up to such services whilst the user must also ensure that someone who misappropriates a device can't then easily access their cloud account (through lack of device security and stored passwords etc).

Since MDM itself is a relatively new concept there is disparity in opinion regarding the implementation of a cloud based system. While most organizations prefer a cloud based solution, others are not willing to let go of a very recent transition made from traditional networks to MDM. Some however have opted for a hybrid solution where data processing is done on servers A purely cloud based solution however is more beneficial to the requirements of companies especially if they're on a small scale.

  1. Setup Time : The setup time for a cloud based system is very little. This is because the data is ultimately on a cloud and the creation of a system which gives access to multiple devices can be easily done.
  2. Setup Cost : Budget constraints are common problems faced by small companies. The BYOD automatically removes the strain of providing devices to employees whereas cloud systems enable mobile device management without the need of spending money on technical equipment such as server machines, cables, power outlets and switches.
  3. Maintenance : Regular maintenance of the server will be unnecessary. If the software has the latest updates and is working properly, chances are the server is providing optimal performance as well.
  4. Costs : One of the most appealing features of MDM is the low initial cost of set up. What is overlooked however is that the running or operating costs of the cloud systems are reasonable as well. Payment is done simply on usage basis and according to the number of devices connected to the cloud system.
  5. Ease Of Access : The cloud may be accessed from any locations which means that workers in remote locations will be able to work from home or other locations.

Oracle Fusion Middleware:

Cloud computing may appear to be spreading like wildfire with both enterprise and personal users jumping at the chance to take advantage of the cost effectiveness, scalability and flexibility that it offers. However, there is a strong debate amongst industry experts, and beyond, as to whether this uptake, however rapid, has been severely tempered by a lack of trust and understanding around cloud services from prospective clients.

Many propose that, as has been the case in many markets that have preceded cloud computing, the answer to client wariness is standardization with the aim of delivering transparencies. In other words, create a market where a client can shop between multiple providers and judge their security levels, data handling, performance and service stability on comparable metrics.

Oracle Fusion middleware does just that. It’s based on standards and enabled organizations to standardize their platform offerings.

Oracle Fusion middleware enables you to secure mobile (native and Web) applications with Oracle Access Management. This includes authenticating users with existing credentials; enabling two-factor authentication; and using mobile authentication to enable secure Web services and REST APIs, REST-to-SOAP transformation, and identity propagation.

Version 11.1.1.8 of the latest release of Oracle WebCenter Sites provides an integrated mobile Web solution that enables business users to author, edit, and preview content for different groups of mobile devices—all from within the same interface that is used to manage their main Website. Oracle WebCenter Framework is an Oracle JDeveloper design-time extension that breaks down the boundaries between Web-based portals and enterprise applications. It also provides the runtime portal and Web 2.0 framework on which all Oracle WebCenter technology runs.

The Best of Breed
With Oracle Fusion middleware, you gain access to the best of breed in technology platforms and tools that would not just enable your organizations BYOD program to sprint forward but would enable to enhance the service delivery model by providing your organization with the core tools and technology that would not just power your BYOD and MDM strategy but also enable you to leverage the exact same platform for your enterprise wide security strategy.

If you’d like to talk more, you can find us at simeiosolutions.com











Tuesday Dec 03, 2013

Mobile Device Management (MDM) Within Your Enterprise - Simeio Solutions

Introduction
One of the major challenges facing every enterprise in the Bring Your Own Device (BYOD) age is how to maintain control of the devices used to access proprietary data. In this post, the second in our four-part series on BYOD and the changing mobile landscape, we’ll take a look at this issue in more detail.

It’s difficult to overstate the challenge. As organizations enable broader access to more and more information – including highly valuable and sensitive intelligence and intellectual property – they need to ensure that the devices used to access that information are secure, that the devices can be remotely managed and de-authorized, and that information on those devices can be destroyed or disposed of securely. But at the same time, the rise of BYOD means giving up a large measure of control over those devices because they are no longer owned by the organization but rather by individuals who maintain full control and authority over them.

In just a few short years, we’ve moved from uniform, company-owned desktops tethered to the office to diverse, individually-owned mobile devices that can literally be taken – and lost  – anywhere in the world. This mobile revolution has enabled an entirely new kind of workforce and unprecedented productivity and business opportunities, but it has also created a concomitant surge in risk. Addressing this risk has become an organizational imperative, which is why Mobile Device Management (MDM) has become a high priority at most enterprises.

A Plethora of Platforms
When you consider all the moving pieces that are involved in mobile computing – multiple hardware device types and manufacturers, operating systems, applications, telecommunications carriers, and supporting back-end infrastructures – the challenge of securing your mobile devices can seem all the more daunting.

Most enterprises would consider securing the platform vendors, hardware providers and telecommunication carriers to be “out-of-scope” due to the sheer volume of platform vendors and the telecommunication carriers that provide the backbone service to users across continents. It is far more practical to control and enforce restrictions on the individual devices.

In the early days of mobile computing, organizations could select a single platform to support (e.g. Blackberry), which made the job far more manageable. The adoption of BYOD, however, means you’ll need to support a wide variety of platforms, including Google Android, Apple iOS, Microsoft Windows and Blackberry, the four primary players at the moment.

There is no right or wrong platform when it comes to addressing security and MDM. Each platform comes with its own set of features, benefits and associated risks:

  1. Blackberry : The Blackberry has enjoyed tremendous popularity among IT organizations. The Blackberry software provides enterprises with servers and software that offer unparalleled remote management capabilities, but it comes at a cost. Blackberry has also recently lost significant market share to competitors, and many are questioning its survival.
  2. Apple iOS: Many consider the iPhone and iPad to be the most innovative products when it comes to revolutionizing the mobile industry. Unfortunately, many also consider iOS to be one of the weakest platforms when it comes device management. While the ability to deploy and distribute apps is a breeze, managing these devices remotely could prove to be a quite a challenge. Apple has responded to this criticism with a new OS version and hardware with improved security and integrated MDM features.
  3. Google Android: Android is by far the most popular platform as measured by market share. However, it is also known for its notorious variety of devices and flavors of operating environments. Even with the diverse array of OS options available, some Android devices come with enterprise grade software services that enable remote management (although some do not).
  4. Microsoft Windows: Microsoft is a well known player in the mobility space, but the reliance on third party toolsets, systems and servers to manage devices by leveraging the vendor published device management protocol make it a complex deployment.

Despite the pros and cons, organizations today must be ready to support any and all of these platforms without compromising the organization’s security.  Securing the devices, the application and the data that these devices hold goes way beyond simple authentication platforms that are currently in place. There is also the need for compliance enforcement to ensure that each of these devices are secured and do not in any way become a pathway for exploits and intrusions into larger systems that form part of an enterprise’s proprietary infrastructure.

Past, Present and Future
As device adoption changes over time, it is crucial to be prepared to address these evolving changes as they occur. An oversized platform may reduce in size as time rolls by. Your organization might currently have predominantly iOS and Android devices, but could change to a predominantly Windows based service as time evolves, or vice versa. It is important to acknowledge these evolving patterns and gear up for an ever evolving device adoption strategy.

The current market adoption of the various platforms has Android at 61%, iOS at 20.5%, Windows at 5.2%, Blackberry at 6% and Other devices at 7.3%.


However, there is a huge difference between the overall market share and enterprise use, where Blackberry – despite its fall from grace with consumers – continues to be a dominant player. BlackBerry still has a market share of about 38% among businesses with more than 10,000 employees, as well as more than a 33% share in government and financial institutions . But this appears to be changing rapidly.

This is exactly the kind of situation where a good MDM strategy would enable organizations to traverse any change in market dominance that may occur over time.  Adoption and market share also tend to vary by geographic region. For example, Android adoption could be very high in Asia Pacific while relatively low in North America. Therefore it is necessary to also look at an organization’s geographic employee dispersion ratio while building a strong MDM strategy.

By 2015, it’s projected there will be 7.5 billion mobile devices globally. By 2016, it is estimated that global mobile device usage will grow by 20% in the Android space, 10% in the iOS space, 30% in Windows phones, and 3% more Blackberry users. According to a recent Forrester Research Report, mobility and BYOD programs in use by North American based information workers are expected to triple by 2014. Also, the use of tablets at work is rising at an exponential rate. Today there are 50% more tablets being used in the enterprise than just a year ago.

The bottom line is that the future could hold anything. It could be an exponential increase of one of the aforesaid platforms or an emergence of a new platform altogether. You must be ready in any case.



An Effective MDM Strategy
Building an effective MDM strategy is of great value to any enterprise. We believe there are three key criteria when chosing or developing an MDM solution:

1)  Develop a single, unified solution with the flexibility to address virtually any device or platform.

Given the rapidly shifting market shares and already large and rapidly growing number of mobile devices, it would be a Sisyphean task to maintain one device management tool per device. A better strategy is one that has a broader focus on converging technologies that power a variety of devices.

Having a unified MDM service allows for global policy enforcements. It also allows for rapidly provisioning and de-provisioning devices onto the network with split liability – where individuals agree to cede some control over their personal device, often in exchange for a stipend or sharing of expenses with the enterprise.

Such a unified MDM service gives employees more control over which devices they are allowed to bring in. It also gives employers more control over what these devices can do when on the corporate network.

2)  Cover the complete lifecycle – especially in between the two endpoints.

Your MDM solution shouldn’t be limited to the provisioning and deprovisioning aspects of a BYOD program but should focus more on the period in between those two endpoints, including the ability to:
  • Control what runs on the device when connected to the corporate network
  • Determine whether security protocols have been adhered to
  • Do an over-the-air (OTA) update of an applications, configurations or device firmware
  • Support audit requirements
  • Track the location of the devices themselves

3)  Look to the cloud

Organizations embracing “cloud computing” have been steadily increasing, which comes as no surprise with the increased growth in the mobility space. Cloud based Mobile Device Management solutions have emerged as well, which organizations can leverage in tandem with their internal cloud transformation processes.

Prioritizing investments in effective strategies not only allows for on-boarding a new MDM platform at a much rapid pace, but also helps ensure the security and integrity of systems that the organization exposes to the cloud in addition to the devices that are now onboarded into the organization’s network.


MDM Best Practices
At Simeio Solutions [http://www.simeiosolutions.com/], we’ve established a set of best practices to help our clients implement a successful enterprise MDM strategy. These include:

  1. Enablement for a multi-platform, vendor-agnostic device on-boarding. Even so, enterprises should allow only the mobile devices that have the best possible control and security built in.
  2. A strong security policy. Enterprises must strive to employ a good encryption methodology, which is a key to building a strong security policy. Device encryption methods can help encrypt the local storage, but enterprises must ensure that it covers all the risk areas including the internal and external systems as well.
  3. Maintain a device registry. Take a periodic inventory of all the devices connected to the corporate network.
  4. Remote over-the-air updates. It is essential to Identify unusual situations such as jail breaks, lost devices, device theft, number of repeated failed login attempts or failure to connect to the network for lengthy periods (e.g. more than a month), and enabling those mobile devices for remote wiping, automatic padlocking and account locks.
  5. Maintain an application white-list. Tentative white-listing of applications allows only authorized software to be installed on the mobile devices and prevents the malicious software from entering the corporate network.
  6. SSL and VPN Connectivity. Enterprises should employ VPN access to enjoy the benefits of shared networks without any security concerns in transmitting sensitive data over the internet, since VPNs encrypt the data in transit.
  7. Regular security updates and patches. Enterprises need to ensure that the mobile devices connected to their corporate network are installed with regular security updates along with updates of new upgrades and patches for the mobile operating systems (iOS, Android OS, Blackberry OS, etc).
  8. Deploy intrusion detection and prevention systems (IPS/IDS). IPS helps to proactively respond to security threats initiated on the corporate network by smartphones and tablets. Enterprises could extend their existing IPS systems to monitor mobile devices and help deter risks associated with remote attacks.


MDM and Security
Addressing security is a critical component of an effective MDM strategy. Inevitably, you’ll have a laundry list of security issues that must be considered and addressed. You may need to look at security from many perspectives, including how to secure the data on the device, or the security around how a device or use is authenticated prior to enabling access to information or resources, and even how the data being transmitted is secured from tampering and ensuring confidentiality.

Security as it pertains to MDM involves encryption algorithms such as RSA, MD5, and AES. It also involves token services like HOTP, OATH, TOTP. You will need to pay attention to protocols such as HTTPS, LDAPS, and other secure means of transmission. There are also session handlers, Two Factor authentication services, secure delete, and device management capabilities including remote wipe, remote lock, and remote install.

The three major component of a strong MDM security framework are:

  1. Data Access Security Mechanisms
    • User and Device authentication
    •  Authorization and policy enforcement
    • Integration with other token services  that leverages existing identity management infrastructure services to access services such as Salesforce.com or Box.net
  2. Data Storage Security Mechanisms
    • Encrypt data at rest, both on the device as well as on the server side applications and service components
    • Secure delete and the ability to overwrite existing data
    • Protection of keys credentials and tokens used to decrypt data and make the data available for use
  3. Data Transmission Security Mechanisms
    • Establishing a secure connection between the device and the company’s infrastructure
    • Creating and managing sessions for required set of transactions
    • Handling HTTP requests in the appropriate manner
    • Encryption of data transmitted over the channel

Bring it all together
Scaling to support all of the possible mobility enabled devices could incur significant hardware costs and create management complexity. Even though scalability may seem like a distant concern for some enterprises, the proliferation of mobile devices and applications growing at the current rate  will make that concern a reality sooner than later. Enterprises will do well to incorporate long-term scalability requirements into their plans early on.

Luckily, a variety of solutions have emerged to help organizations meet this challenge. Oracle, for example, has a suite of tools that can make it easier for organization to deploy a strong MDM solution. They can even make it easy for employees to onboard their own devices to the corporate infrastructure in split liability mode.

Oracle Beehive is one such tool. It provides an integrated set of communication and collaboration services built on a single scalable, secure, enterprise-class platform. Beehive allows users to access their collaborative information through familiar tools while enabling IT to consolidate infrastructure and implement a centrally managed, secure and compliant collaboration environment built on Oracle technology.

Oracle Utilities for Operational Device Management is another example. It was developed by Oracle solely for the purpose of meeting the needs of asset management for “smart devices.” The software manages devices such as meters, access points or communication relays and communication components attached to various devices that are too complex for traditional asset management systems. It handles critical functions, such as managing and tracking updates and patches, as well as supporting governance and regulatory audits and smart grid Network Operations Center (NOC) processes.

Oracle Platform Security provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate mobile app developers from security and identity management implementation details. With OPSS, developers don’t need to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures. Thanks to OPSS, in-house developed applications, third-party applications, and integrated applications benefit from the same, uniform security, identity management, and audit services across the enterprise.

These are just a few examples of the tools available that can help you design and deploy an effective MDM solution. In our next post, we’ll take a look at Mobile Access Management, another key aspect of managing mobile devices in the BYOD age.

About the Author:

Rohan Pinto is a Senior IAM Architect at Simeio Solutions who is responsible for architecting, implementing and deploying large-scale Identity Management, Authentication and Authorization (RBAC, ABAC, RiskBAC, TrustBAC) infrastructures with specific emphasis in Security.


Wednesday May 15, 2013

What Can Oracle API Gateway Do for You?

Author: Sid Mishra

The Application Programming Interface (API) is an emerging technology trend for integrating applications using web technology. Adoption of a cloud based computing approach using an API based model results in greater operational efficiencies and lower costs than many traditional IT deployments. The approach is gaining popularity because it is based on well-understood techniques and leverages existing infrastructure. APIs and traditional services in a SOA model have a 1:1 relationship: an API is the interface of a service. Services are about the implementation and are focused on the provider, while an API is about using the functionality, and is focused on the consumer.

However, as with any new technology, security is often a major inhibitor to adoption. A cloud service consumer or subscriber based computing model is associated with concerns over visibility into these services, less control over security policies, new threats facing shared deployment environments and complexity of demonstrating compliance. Also, it can be a mistake to think APIs should be secured using the same methods and technology used to secure conventional browser-centric web. While it is true that APIs share many of the same threats as the web and a consistent and centralized access control is a growing pain point for most deployments, APIs are fundamentally different from web sites and have a unique risk profile that must also be addressed.

Oracle API Gateway as a standards-based, policy-driven, standalone software security and API management solution provides first line of defense in Service-Oriented Architecture (SOA) and cloud environments. It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems. Oracle API Gateway as a central access control point manages how internal users and application assets are exposed to outside cloud offerings and reduces cloud related security risks. It allows enterprises to leverage their existing Identity and Access Management investments by extending authentication, authorization and risk policies to mobile, cloud and enterprise applications – without requiring change to back-end applications and services. Oracle API Gateway as Mobile Access Gateway simplifies the process of adapting internal data, application and security infrastructure for mobile use. It provides a centralized way to control security and management policies for information assets exposed via internet APIs, to mobile applications and developers.

To learn more about API Management and secure cloud connectivity using Oracle API Gateway, refer to the product datasheet links here and here.

Friday Apr 26, 2013

Globe Trotters Edition: The Economic Impact of Security

Author: Ricardo Diaz

News on cyber crime recently made front page news.

Vast majority of global cyber-espionage emanates from China, report finds -Washington Post April 2013.

The economic threat of cyber crime is serious, has and will impact our daily lives and unfortunately been a threat most businesses haven't taken serious for decades. Rather, for decades, we have mis-directed our efforts to focus elsewhere as opposed to what really needs to be protected - our data or intellectual property. Economic Espionage is a threat you, your business and organizations you do business with should take a long, hard look at before your next security investment.

Mis-directed? You know what I am talking about. Consider what we think about the "real threat" of cyber crime. Some punk teenage hacker, hyped up on Redbull and Pixie Sticks, whose sole focus is to create havoc by breaking into your home PC or defacing your corporate website before he runs off to his next all night rave. This is the common portrayal of threat that we come across on media. Unfortunately this highlights a common misconception that most security threats are carried out to either hack your wallet or hack some government facility to crack into a top secret military facility.

Why would a major World Power be interested in our corporate data? Simple... It's the power of economics and competitive advantage! The economic impact of losing corporate intellectual property to a competitor, most business executives understand. What they don't understand is where is the threat coming from, if this ever happens to them and how common economic espionage attacks happen frequently and not from traditional places or people we thought.

Still, how does this impact you? Well, "everyone gets burned if you think about it", is how a fellow security mate of mine put it. The cost of data loss = loss of credibility, stock price going down, liability lawsuits, cost of compliance, brand tarnished and maybe your job. It may impact your job because not enough investment may be made in your projects, additional resources or financial incentives cut down, meanwhile as you send out your résumé, how attractive is it to put that tarnished company name on it? Not very!

Everyone is impacted!

What specifically is under attack or being stolen? It's not the devices or the systems but the data on it. What is the bigger threat? Losing your iPhone or losing the data with those passwords on it? Yes, that's right... The threat of Data loss, now more than ever, not only is on the inside of your business but now travels in our pocket, bags and purses of your employees everyday. Thank you BYOD to work!!

So, what is to be done? Secure the data by building data security controls and access controls and of course building a compliance process around it all to keep it all in check and prove compliance. Realize security is not orthogonal to business growth/profit, Security can save the cost we talked about earlier and actually create business opportunity (reach out to new customers using secure social media, attract new talent with BYOD, bring agility with secure cloud). We just need to think differently about security it is not wires, padlocks, just firewalls or multiple authentication controls; instead we should take a holistic approach to securing your data.

Hence why I love working at Oracle and with the global security team. There is no better place for a security technology aficionado than at Oracle. Massive R&D investments in security acquisitions (over $1 Billion In Identity Management since 2004), industry leading technology (Leaders position in Magic Quadrants in Identity Management for years), a plethora of thought leaders and cutting edge innovations (e.g. Oracle Mobile and Social Access Management - see SUPERVALU use case) are the hooks that have kept me planted at Oracle for the past 9 years. Where else can one find a security technology solution to enforce Separation-of-Duty (SoD) policy, automatically across the enterprise? Only Oracle.

The economic impact of security related threats to your business is real. Pay attention to WHAT is being stolen (corporate data - intellectual property) in these cyber crime attacks! In this day and age, gaining a competitive advantage has never been easier thanks to cyber espionage. Why develop or research when I can appropriate what I need via my competitors weak technology infrastructure, information security policy and process??

This risk can be mitigated and reduced, significantly, by investing in a risk intelligent, Oracle enterprise security architecture, built to Secure the Digital Experience, Data Centers, Applications and The Cloud. Learn more at www.oracle.com/security

Image Courtesy: thehackernews.com, siliconangle.com

Bio

Who is Ricardo Diaz?

Husband, father, technologist, identity management, security and privacy adroit, CrossFitter, ESPN addict and dog lover!

For the better part of my 17+ years as an enterprise security architect, consultant or business advisor, I have traveled many miles across this great planet of ours, to sit down with customers to help evaluate and better understand what the real threats are, how important it is to protect their data/users and put the proper controls/policies/processes in place to mitigate risks.

Tuesday Apr 02, 2013

Securely Social SuperMarkets: SUPERVALU Embraces Secure Social and Mobile

Oracle announced today that SUPERVALU is leveraging Oracle Identity Management Release 2 to empower its employees to securely use social and mobile environments in an effort to bring efficiency and agility at grocery storefronts.

SUPERVALU is a leading grocery retailer and supply chain operator that has over 2000 retail locations and 2,500 independent franchises, as well as extensive supply chain services that are leveraged by the company, customers and government organizations across the country.

Powered by Oracle Identity Management, SUPERVALU’s advanced social and mobile strategy serves as an excellent example of how companies today are leveraging social and mobile to enable business and improve customer experience. Read the press release and take a look at this brief video we recorded with SUPERVALU’s Phillip Black.

What is your business case for social and/or mobile? Do tell.

Wednesday Mar 13, 2013

Virgin Media Takes Identity Management Underground

Hardware and Software, Engineered to Work Together
Oracle Corporation
Webcast Virgin Media Takes Identity Management Underground. Oracle Identity Management.

Oracle Identity Management Gave Virgin Media the Security and Control to Provide Free Wi-Fi to Millions

The 2012 Olympics brought millions of athletes, support crews, vendors, and spectators into London. The task of providing free, secure Wi-Fi services to the London Underground went to Virgin Media.

In retrospect, they registered more than 10,000 new users daily. And supported up to 800,000 sessions every day—which peaked at 24,163 simultaneous users. And millions of tweets, Facebook posts, and more.

Join This Important Security Webcast

You’ll hear how Virgin Media, the UK’s first combined provider of broadband, TV, mobile, and home phone services, used Oracle Identity Management, Oracle Virtual Directory, and Oracle Entitlements Server to leverage back-end legacy systems that were never designed to be externalized.

You’ll learn how they:

  • Transformed the London Underground deployment into a platform for authorizing other services
  • Reused Oracle Entitlements Server and Oracle Virtual Directory for authorizing customers to view video-on-demand content on their Virgin Media set top boxes
  • Expanded to deliver true place-shifting—allowing subscribers to watch pay-per-view assets from any device, anywhere

As you continue to embrace mobile and social, Oracle Identity Management will become even more important, enabling interaction and securing the experience. Join us and find out how.

Register now for this Webcast, “Virgin Media Takes Identity Management Underground.”

Join us for this Webcast, Virgin Media Takes Identity Management Underground.
Thurs., March 28, 2013
10 a.m. PT / 1 p.m. ET
Presented by:
Ben Bulpett
Ben Bulpett
Alliances and Enterprise Accounts, aurionPro Sena
Perry Banton
Perry Banton
IT Architect, Virgin Media
Naresh Persaud
Naresh Persaud
Director, Product Marketing, Oracle
Stay Connected
Twitter Facebook Blog
Use #idmtalk

To participate in the live Q&A, submit your questions on Twitter before or during the event.
Send to @oracleidm using #idmtalk
Hardware and Software, Engineered to Work Together
Copyright © 2013, Oracle and/or its affiliates.
All rights reserved.
Contact Us | Legal Notices and Terms of Use | Privacy Statement

Thursday Mar 07, 2013

UPMC Offers CloudConnect Health IT to Help Healthcare Organizations with Identity Management

UPMC announced today the launch of CloudConnect Health IT. Powered by Oracle Identity Management, CloudConnect Health IT is a cloud-based identity management solution geared towards small and midsized health care providers.

CloudConnect Health IT is a complete package from UPMC that offers healthcare providers Oracle Identity Management applications enhanced by health care-specific processes developed at UPMC to specifically meet the needs of clinicians. The goal is to provide cost-effective, standardized, cloud-based IT security solution specifically designed to meet the needs of small and midsized healthcare providers.

The CloudConnect Health IT solution will allow health care users to easily manage user accounts, including automating adding, modifying and terminating a user’s computer access; managing access based on the user’s job profile; and providing self-service functions such as password reset, as well as comprehensive management reporting. The new service is built on Oracle Identity Governance Suite, Oracle Access Management and Oracle Directory Services to enable ease of use and offer the support and scalability that will be required in the cloud.

For more information, read the press release.

Monday Feb 04, 2013

Avea Customer Success story: webcast wrap-up

Thanks to everyone that joined us for the live webcast on January 31.

For those of you that missed it, the webcast was recorded and I will post the replay link here when it becomes available.

Webcast replay is now available here: click for replay (note: you may have to scroll down to find it)

We were not able to get to all the questions during the call, so I have retrieved the list of questions, and will send them to the Avea team to answer. 

I have also posted the slides below. 

Wednesday Jan 30, 2013

Tweet Jam Reveals - Authentication: Stronger or More Often?

Last week, on January 22nd, Mike Neuenschwander, Senior Director, Security & Identity Management at Oracle took over the @OracleIDM account to host a live twitter chat at #AuthChat . The topic – Authentication: Stronger or More Often?

Mobile, social and cloud are changing the way we do business today. User identity and devices are crossing the personal and professional boundaries making it a seamless world. And that brings us to – Authentication. Accepting a social identity or allowing an employee or a user to sign-on from a personal device to access business applications is becoming more common place. Meanwhile, organizations are still struggling with passwords – too many/too vulnerable.

With that in mind, the live twitter discussion focused on key trends in authentication and predictions for 2013. The tweet chat explored if practices like “Trust but Verify” still hold true today or not. Industry thought leaders including Bob Blakley, Dave Kearns, Eve Maler, Ian Glazer, Dan Miller and more participated in this very engaging discussion. The interaction ranged from whether passwords were a dying breed to the cost of biometrics, to the state of SAML and all things authentication.

From serious musings to light hearted commentary (including this pic that Eve Maler from Forrester shared re. #authcat  #authchat), the tweet jam proved to be a great meeting of minds.

Even if you participated, you may have missed portions of the live discussion so we have curated the chat ; it might be worth going back and following the discussion.

One of my personal favorites was a tweet from Clayton Donley who said “Killing all passwords is like killing all mosquitoes…good luck with that!”

Catch the recap of the tweet jam and while you still can, feel free to search for the complete thread by searching on “#authchat” on twitter.

Meanwhile, the first tweet jam has wet our appetite. We are looking to put together a schedule for identity tweet chats. Have a topic in mind? Send it our way; we look forward to hearing from you.

Recap: Authentication – Stronger or More Often? Tweet Jam Archive

Picture Courtesy: http://t.co/Fnut41P3 

Monday Jan 21, 2013

Partner Blog Series: aurionPro SENA- Who Moved My Security Boundary? Part 3

Consumerization of Identity: Bringing Social Identity to Work

Business is now driving costs out and enriching services with the sophisticated use of identity information. Forward-looking organizations are latching on to terms such as “social media identity” and “Consumerization” to gain an upper hand against the competition through improved and simplified internal or consumer orientated user experience. What does this mean in real terms, though?

We’ve looked previously at how the desire of users and consumers to access information from anywhere at any time impacts on our approach. The security boundary has surely moved. But how far? Yes, it could move as far as individual data elements. If we examine things more closely, however, is the step that employees and consumers are asking us to take really such a big one? Is it a blind leap into the unknown, or a manageable journey to a better place for all?

Complexity always exists, and simplification for end-users will likely come as a result of an infrastructure that is functionally richer. The discussion should not be one of complexity, though. To decide whether to accede to our users’ requests and support the consumerization of identity, we must focus primarily on risk. Let’s approach this from two points of view.

The first view is that of security of social identity. There is much talk of using Facebook, Twitter and other social media identity to replace logon to low-value resource on company websites. The knee-jerk reaction to such a request is “no way”, because it just feels insecure. If we think about it, though, what’s more valuable to an individual? Their company-provided extranet logon or their Facebook logon? Their company credit card or their personal credit card? Their office keys or their house keys? People will always tend to value more highly those things whose compromise will lead to greater personal impact. And thus they will protect them more diligently. So a Facebook logon is arguably more valuable to its holder than the extranet logon. Of course, the comparison is not as simple as just that one aspect. Among other risks, personal assets can be shared with a trusted peer group, particularly family, whereas corporate assets are typically not. Conversely, personal assets are generally not shared with trusted work peer groups either, whereas corporate assets can be. However, the point remains that a social identity is not the weak credential that it can appear to be when just using initial gut reaction.

So with a combination of both personal and corporate security responsibilities, the security of a credential existing in both domains simultaneously can be greater than one that exists purely in a single domain. The duties of care between the employer and the employee are becoming entwined in a subtle way that it hard to unpick, but in a way where security benefits can accrue in unanticipated ways for both sides.

Take a second, completely different viewpoint. It’s common for employees to use social identity for numerous business purposes. Data is sourced and published in the public domain using identities that exist in the public domain. Marketing, recruitment and many other activities rely on sites such as Twitter and LinkedIn. Does the company gain benefit by trying to control these public domain identities too closely? Should the employee be allowed to use their personal accounts? Just as valid a question is: does the employee want to use their personal accounts?

Employees are asking for access to everything from everywhere. But do they really want so much freedom, with almost no boundary between personal and corporate identities? A degree of separation between the two is desirable for all? Regardless, identity governance needs as complete a picture as possible of system access – for corporate, partner and cloud systems. The risk assessment around this needs data, so we need to include public domain systems in our governance scope. We can’t establish a BYOD or social identity programme without an analysis of the risk trade-offs.

So where does this leave us? Are we being asked to take the blind leap into the unknown? It leaves us at "Security: Step 1".

We need to do the risk assessment. We need to compare the business rewards, the possible issues and compare these with the corporate risk appetite. And crucially, to do this we need to know what our employees and customers really desire. They really aren’t asking us to move to a scary place.

In fact, for some areas of business it is a wholly appropriate place. Irrespective, though, it’s just to a place we’re not accustomed to in the new use cases we are being presented with.

But know this. If you choose to say “yes” to shifting the security boundary, the technology exists to support your journey. We will look more closely at some of the options in our final part of this series.

About the Author:

Mike Nelsey, Managing Director, aurionPro SENA

Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today