Monday Jan 21, 2013

Partner Blog Series: aurionPro SENA- Who Moved My Security Boundary? Part 3

Consumerization of Identity: Bringing Social Identity to Work

Business is now driving costs out and enriching services with the sophisticated use of identity information. Forward-looking organizations are latching on to terms such as “social media identity” and “Consumerization” to gain an upper hand against the competition through improved and simplified internal or consumer orientated user experience. What does this mean in real terms, though?

We’ve looked previously at how the desire of users and consumers to access information from anywhere at any time impacts on our approach. The security boundary has surely moved. But how far? Yes, it could move as far as individual data elements. If we examine things more closely, however, is the step that employees and consumers are asking us to take really such a big one? Is it a blind leap into the unknown, or a manageable journey to a better place for all?

Complexity always exists, and simplification for end-users will likely come as a result of an infrastructure that is functionally richer. The discussion should not be one of complexity, though. To decide whether to accede to our users’ requests and support the consumerization of identity, we must focus primarily on risk. Let’s approach this from two points of view.

The first view is that of security of social identity. There is much talk of using Facebook, Twitter and other social media identity to replace logon to low-value resource on company websites. The knee-jerk reaction to such a request is “no way”, because it just feels insecure. If we think about it, though, what’s more valuable to an individual? Their company-provided extranet logon or their Facebook logon? Their company credit card or their personal credit card? Their office keys or their house keys? People will always tend to value more highly those things whose compromise will lead to greater personal impact. And thus they will protect them more diligently. So a Facebook logon is arguably more valuable to its holder than the extranet logon. Of course, the comparison is not as simple as just that one aspect. Among other risks, personal assets can be shared with a trusted peer group, particularly family, whereas corporate assets are typically not. Conversely, personal assets are generally not shared with trusted work peer groups either, whereas corporate assets can be. However, the point remains that a social identity is not the weak credential that it can appear to be when just using initial gut reaction.

So with a combination of both personal and corporate security responsibilities, the security of a credential existing in both domains simultaneously can be greater than one that exists purely in a single domain. The duties of care between the employer and the employee are becoming entwined in a subtle way that it hard to unpick, but in a way where security benefits can accrue in unanticipated ways for both sides.

Take a second, completely different viewpoint. It’s common for employees to use social identity for numerous business purposes. Data is sourced and published in the public domain using identities that exist in the public domain. Marketing, recruitment and many other activities rely on sites such as Twitter and LinkedIn. Does the company gain benefit by trying to control these public domain identities too closely? Should the employee be allowed to use their personal accounts? Just as valid a question is: does the employee want to use their personal accounts?

Employees are asking for access to everything from everywhere. But do they really want so much freedom, with almost no boundary between personal and corporate identities? A degree of separation between the two is desirable for all? Regardless, identity governance needs as complete a picture as possible of system access – for corporate, partner and cloud systems. The risk assessment around this needs data, so we need to include public domain systems in our governance scope. We can’t establish a BYOD or social identity programme without an analysis of the risk trade-offs.

So where does this leave us? Are we being asked to take the blind leap into the unknown? It leaves us at "Security: Step 1".

We need to do the risk assessment. We need to compare the business rewards, the possible issues and compare these with the corporate risk appetite. And crucially, to do this we need to know what our employees and customers really desire. They really aren’t asking us to move to a scary place.

In fact, for some areas of business it is a wholly appropriate place. Irrespective, though, it’s just to a place we’re not accustomed to in the new use cases we are being presented with.

But know this. If you choose to say “yes” to shifting the security boundary, the technology exists to support your journey. We will look more closely at some of the options in our final part of this series.

About the Author:

Mike Nelsey, Managing Director, aurionPro SENA

Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.


Bring Your Own

Corporate Provided


  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power


  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:

When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption


A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Wednesday Jan 09, 2013

Telenet uses Oracle Identity Management

The Company:

Founded in 1996, Telenet began as a European broadband services pioneer. Today, the company is a market leader in Belgium for residential high-speed internet, telephony, and digital television services. It serves 1.24 million digital television subscribers, 1.22 million internet customers, and 815,000 fixed telephony accounts. Telenet Solutions, the company’s business market division, offers a complete communications solutions portfolio for organizations and corporations, holding a commanding lead in the Belgian/Luxembourg business market.

Business Challenges:

  • Existing legacy identity management system required custom coding and was hard to maintain
  • Need to automate user provisioning for a dynamic workforce
  • Need to automate immediate revocation of user accounts on job changes to improve security
  • Wanted to accelerate the internal approval process for user access to business application
  • Build transparency and gain complete insight into who has access to what and when


Telenet implemented Oracle Identity Management to centralize identity management and security operations. Leveraging Oracle Identity Manager and Oracle Identity Analytics (part of Oracle Identity Governance Suite), Telenet managed to automate user account administration, streamline user access control, optimize license management and offer insight into who had access to what business applications.

For more information on Telenet’s implementation, check out the case study and the following video.

Thursday Dec 20, 2012

Webcast Replay Now Available: Developing and Enforcing a BYOD Policy

Mobile Device Policy is a hot topic for IT - everyone knows they need a policy and enforcement tools, but few companies have actually created a formal policy covering employee owned devices.

Oracle and SANS teamed up to present a comprehensive look at mobile device policy: in the first segment, security expert Tony DeLaGrange presents current trends in mobile device policy based on a recent SANS survey.  In the second segment, SANS legal expert Ben Wright discusses the pros and cons of various BYOD policies from legal perspective.  And in the third segment, Oracle's own Lee Howarth presents the technology and software necessary to enforce mobile device and application access policies.

Click this link to register and listen to the replay: Webcast Registration

The presentation for this webcast is posted below.

Monday Dec 17, 2012

Partner Blog: aurionPro SENA - Mobile Application Convenience, Flexibility & Innovation Delivered

About the Writer:

Des Powley is Director of Product Management for aurionPro SENA inc. the leading global Oracle Identity and Access Management specialist delivery and product development partner.

In October 2012 aurionPro SENA announced the release of the Mobile IDM application that delivers key Identity Management functions from any mobile device.

The move towards an always on, globally interconnected world is shifting Business and Consumers alike away from traditional PC based Enterprise application access and more and more towards an ‘any device, same experience’ world. It is estimated that within five years in many developing regions of the world the PC will be obsolete, replaced entirely by cheaper mobile and tablet devices. This will give a vast amount of new entrants to the Internet their first experience of the online world, and it will only be via these newer, mobile access channels.

Designed to address this shift in working and social environments and released in October of 2012 the aurionPro SENA Mobile IDM application directly addresses this emerging market and requirement by enhancing administrators, consumers and managers Identity Management (IDM) experience by delivering a mobile application that provides rapid access to frequently used IDM services from any Mobile device.

Built on the aurionPro SENA Identity Service platform the mobile application uses Oracle’s Cloud, Mobile and Social capabilities and Oracle’s Identity Governance Suite for it’s core functions. The application has been developed using standards based API’s to ensure seamless integration with a client’s on premise IDM implementation or equally seamlessly with the aurionPro SENA Hosted Identity Service.

The solution delivers multi platform support including iOS, Android and Blackberry and provides many key features including:

Providing easy to access view all of a users own access privileges

The ability for Managers to approve and track requests

Simply raising requests for new applications, roles and entitlements through the service catalogue

This application has been designed and built with convenience and security in mind. We protect access to critical applications by enforcing PIN based authentication whilst also providing the user with mobile single sign on capability.

This is just one of the many highly innovative products and services that aurionPro SENA is developing for our clients as we continually strive to enhance the value of their investment in Oracle’s class leading 11G R2 Identity and Access Management suite.

The Mobile IDM application is a key component of our Identity Services Suite that also includes Managed, Hosted and Cloud Identity Services. The Identity Services Suite has been designed and built specifically to break the barriers to delivering Enterprise, Mobile and Social Identity Management services from the Cloud.

aurionPro SENA - Building next generation Identity Services for modern enterprises.

To view the app please visit

For more information please contact

Friday Dec 14, 2012

Grow Your Business with Security

Author: Kevin Moulton

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East EnterpriseSecurity Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

It happened again! There I was, reading something interesting online, and realizing that a friend might find it interesting too. I clicked on the little email link, thinking that I could easily forward this to my friend, but no! Instead, a new screen popped up where I was asked to create an account. I was expected to create a User ID and password, not to mention providing some personally identifiable information, just for the privilege of helping that website spread their word.

Of course, I didnt want to have to remember a new account and password, I didnt want to provide the requisite information, and I didnt want to waste my time. I gave up, closed the web page, and moved on to something else. I was left with a bad taste in my mouth, and my friend might never find her way to this interesting website. If you were this content provider, would this be the outcome you were looking for?

A few days later, I had a similar experience, but this one went a little differently. I was surfing the web, when I happened upon some little chotcke that I just had to have. I added it to my cart. When I went to buy the item, I was again brought to a page to create account. Groan!

But wait! On this page, I also had the option to sign in with my OpenID account, my Facebook account, my Yahoo account, or my Google Account. I have all of those! No new account to create, no new password to remember, and no personally identifiable information to be given to someone else (Ive already given it all to those other guys, after all).

In this case, the vendor was easy to deal with, and I happily completed the transaction. That pleasant experience will bring me back again.

This is where security can grow your business. Its a differentiator. Youve got to have a presence on the web, and that presence has to take into account all the smart phones everyones carrying, and the tablets that took over cyber Monday this year. If you are a company that a customer can deal with securely, and do so easily, then you are a company customers will come back to again and again.

I recently had a need to open a new bank account. Every bank has a web presence now, but they are certainly not all the same. I wanted one that I could deal with easily using my laptop, but I also wanted 2-factor authentication in case I had to login from a shared machine, and I wanted an app for my iPad. I found a bank with all three, and thats who I am doing business with.

Lets say, for example, that Im in a regular Texas Hold-em game on Friday nights, so I move a couple of hundred bucks from checking to savings on Friday afternoons. I move a similar amount each week and I do it from the same machine. The bank trusts me, and they trust my machine. Most importantly, they trust my behavior. This is adaptive authentication. There should be no reason for my bank to make this transaction difficult for me.

Now let's say that I login from a Starbucks in Uzbekistan, and I transfer $2,500. What should my bank do now? Should they stop the transaction? Should they call my home number? (My former bank did exactly this once when I was taking money out of an ATM on a business trip, when I had provided my cell phone number as my primary contact. When I asked them why they called my home number rather than my cell, they told me that their policy is to call the home number. If I'm on the road, what exactly is the use of trying to reach me at home to verify my transaction?)

But, back to Uzbekistan

Should my bank assume that I am happily at home in New Jersey, and someone is trying to hack into my account? Perhaps they think they are protecting me, but I wouldnt be very happy if I happened to be traveling on business in Central Asia.

What if my bank were to automatically analyze my behavior and calculate a risk score? Clearly, this scenario would be outside of my typical behavior, so my risk score would necessitate something more than a simple login and password. Perhaps, in this case, a one-time password to my cell phone would prove that this is not just some hacker half way around the world.

But, what if you're not a bank? Do you need this level of security? If you want to be a business that is easy to deal with while also protecting your customers, then of course you do.

You want your customers to trust you, but you also want them to enjoy doing business with you. Make it easy for them to do business with you, and theyll come back, and perhaps even Tweet about it, or Like you, and then their friends will follow.

How can Oracle help?

Oracle has the technology and expertise to help you to grown your business with security.

Oracle Adaptive Access Manager will help you to prevent fraud while making it easier for your customers to do business with you by providing the risk analysis I discussed above, step-up authentication, and much more.

Oracle Mobile and Social Access Service will help you to secure mobile access to applications by expanding on your existing back-end identity management infrastructure, and allowing your customers to transact business with you using the social media accounts they already know. You also have device fingerprinting and metrics to help you to grow your business securely.

Security is not just a cost anymore. Its a way to set your business apart. With Oracles help, you can be the business that everyones tweeting about.

Image courtesy of Flickr user shareski

Tuesday Dec 11, 2012

Webcast Tomorrow: Securing the Cloud for Public Sector

Oracle Corporation
Securing the Cloud for Public Sector

Click here, to register for the live webcast.

Dec 12 For 360 Degree View of Security in the Cloud

Cloud computing offers government organizations tremendous potential to enhance public value by helping organizations increase operational efficiency and improve service delivery. However, as organizations pursue cloud adoption to achieve the anticipated benefits a common set of questions have surfaced. “Is the cloud secure? Are all clouds equal with respect to security and compliance? Is our data safe in the cloud?”

Join us December 12th for a webcast as part of the “Secure Government Training Series” to get answers to your pressing cloud security questions and learn how to best secure your cloud environments. You will learn about a comprehensive set of security tools designed to protect every layer of an organization’s cloud architecture, from application to disk, while ensuring high levels of compliance, risk avoidance, and lower costs.

Discover how to control and monitor access, secure sensitive data, and address regulatory compliance across cloud environments by:

  • providing strong authentication, data encryption, and (privileged) user access control to ensure that information is only accessible to those who need it
  • mitigating threats across your databases and applications
  • protecting applications and information – no matter where it is – at rest, in use and in transit

For more information, access the Secure Government Resource Center or to speak with an Oracle representative, please call1.800.ORACLE1.

LIVE Webcast
Securing the Cloud for Public Sector

December 12, 2012

2:00 p.m. ET
Visit the Secure Government Resource Center

Click here for information on enterprise security solutions that help government safeguard information, resources and networks.


Visit the Secure Government Resource Center
Hardware and Software Engineered to Work Together
Copyright © 2012, Oracle. All rights reserved. Contact Us | Legal Notices | Privacy Statement

Thursday Dec 06, 2012

Tackling Security and Compliance Barriers with a Platform Approach to IDM: Featuring SuperValu

On October 25, 2012 ISACA and Oracle sponsored a webcast discussing how SUPERVALU has embraced the platform approach to IDM.  Scott Bonnell, Sr. Director of Product Management at Oracle, and Phil Black, Security Director for IAM at SUPERVALU discussed how a platform strategy could be used to formulate an upgrade plan for a large SUN IDM installation.

See the webcast replay here: ISACA Webcast Replay (Requires Internet Explorer or Chrome)

Some of the main points discussed in the webcast include:

  • Getting support for an upgrade project by aligning with corporate initiatives
  • How to leverage an existing IDM investment while planning for future growth
  • How SUN and Oracle IDM architectures can be used in a coexistance strategy
  • Advantages of a rationalized, modern, IDM Platform architecture


Tuesday Nov 20, 2012

Oracle on Oracle: Is that all?

On October 17th, I posted a short blog and a podcast interview with Chirag Andani, talking about how Oracle IT uses its own IDM products. Blog link here.

Jaime Cardoso

In response, I received a comment from reader Jaime Cardoso ( who posted:

“- You could have talked about how by deploying Oracle's Open standards base technology you were able to integrate any new system in your infrastructure in days.

- You could have talked about how by deploying federation you were enabling the business side to keep all their options open in terms of companies to buy and sell while maintaining perfect employee and customer's single view.

- You could have talked about how you are now able to cut response times to your audit and security teams into 1/10th of your former times

Instead you spent 6 minutes talking about single sign on and self provisioning? If I didn't knew your IDM offer so well I would now be wondering what its differences from Microsoft's offer was.

Sorry for not giving a positive comment here but, please your IDM suite is very good and, you simply aren't promoting it well enough”

So I decided to send Jaime a note asking him about his experience, and to get his perspective on what makes the Oracle products great. What I found out is that Jaime is a very experienced IDM Architect with several major projects under his belt.

Darin Pendergraft: Can you tell me a bit about your experience? How long have you worked in IT, and what is your IDM experience?

Jaime Cardoso: I started working in "serious" IT in 1998 when I became Netscape's technical specialist in Portugal. Netscape Portugal didn't exist so, I was working for their VAR here. Most of my work at the time was with Netscape's mail server and LDAP server.

Since that time I've been bouncing between the system's side like Sun resellers, Solaris stuff and even worked with Sun's Engineering in the making of an Hierarchical Storage Product (Sun CIS if you know it) and the application's side, mostly in LDAP and IDM.

Over the years I've been doing support, service delivery and pre-sales / architecture design of IDM solutions in most big customers in Portugal, to name a few projects:

- The first European deployment of Sun Access Manager (SAPO – Portugal Telecom)

- The identity repository of 5/5 of the Biggest Portuguese banks

- The Portuguese government federation of services project

DP: OK, in your blog response, you mentioned 3 topics:

1. Using Oracle's standards based architecture; (you) were able to integrate any new system in days: can you give an example? What systems, how long did it take, number of apps/users/accounts/roles etc.

JC: It's relatively easy to design a user management strategy for a static environment, or if you simply assume that you're an <insert vendor here> shop and all your systems will bow to that vendor's will. We've all seen that path, the use of proprietary technologies in interoperability solutions but, then reality kicks in. As an ISP I recall that I made the technical decision to use Active Directory as a central authentication system for the entire IT infrastructure. Clients, systems, apps, everything was there.

As a good part of the systems and apps were running on UNIX, then a connector became needed in order to have UNIX boxes to authenticate against AD. And, that strategy worked but, each new machine required the component to be installed, monitoring had to be made for that component and each new app had to be independently certified.

A self care user portal was an ongoing project, AD access assumes the client is inside the domain, something the ISP's customers (and UNIX boxes) weren't nor had any intention of ever being.

When the Windows 2008 rollout was done, Microsoft changed the Active Directory interface. The Windows administrators didn't have enough know-how about directories and the way systems outside the MS world behaved so, on the go live, things weren't properly tested and a general outage followed. Several hours and 1 roll back later, everything was back working.

But, the ISP still had to change all of its applications to work with the new access methods and reset the effort spent on the self service user portal. To keep with the same strategy, they would also have to trust Microsoft not to change interfaces again.

Simply by putting up an Oracle LDAP server in the middle and replicating the user info from the AD into LDAP, most of the problems went away. Even systems for which no AD connector existed had PAM in them so, integration was made at the OS level, fully supported by the OS supplier.

Sun Identity Manager already had a self care portal, combined with a user workflow so, all the clearances had to be given before the account was created or updated.

Adding a new system as a client for these authentication services was simply a new checkbox in the OS installer and, even True64 systems were, for the first time integrated also with a 5 minute work of a junior system admin.

True, all the windows clients and MS apps still went to the AD for their authentication needs so, from the start everybody knew that they weren't 100% free of migration pains but, now they had a single point of problems to look at.

If you're looking for numbers:

- 500K directory entries (users)

- 2-300 systems

After the initial setup, I personally integrated about 20 systems / apps against LDAP in 1 day while being watched by the different IT teams. The internal IT staff did the rest.

DP: 2. Using Federation allows the business to keep options open for buying and selling companies, and yet maintain a single view for both employee and customer. What do you mean by this? Can you give an example?

JC: The market is dynamic. The company that's being bought today tomorrow will be sold again. Companies that spread on different markets may see the regulator forcing a sale of part of a company due to monopoly reasons and companies that are in multiple countries have to comply with different legislations.

Our job, as IT architects, while addressing the customers and employees authentication services, is quite hard and, quite contrary. On one hand, we need to give access to all of our employees to the relevant systems, apps and resources and, we already have marketing talking with us trying to find out who's a customer of the bough company but not from ours to address.

On the other hand, we have to do that and keep in mind we may have to break up all that effort and that different countries legislation may became a problem with a full integration plan.

That's a job for user Federation. you don't want to be the one who's telling your President that he will sell that business unit without it's customer's database (making the deal worth a lot less) or that the buyer will take with him a copy of your entire customer's database. Federation enables you to start controlling permissions to users outside of your traditional authentication realm. So what if the people of that company you just bought are keeping their old logins? Do you want, because of that, to have a dedicated system for their expenses reports? And do you want to keep their sales (and pre-sales) people out of the loop in terms of your group's path?

Control the information flow, establish a Federation trust circle and give access to your apps to users that haven't (yet?) been brought into your internal login systems. You can still see your users in a unified view, you obviously control if a user has access to any particular application, either that user is in your local database or stored in a directory on the other side of the world.

DP: 3. Cut response times of audit and security teams to 1/10. Is this a real number? Can you give an example?

JC: No, I don't have any backing for this number.

One of the companies I did system Administration for has a SOX compliance policy in place (I remind you that I live in Portugal so, this definition of SOX may be somewhat different from what you're used

to) and, every time the audit team says they'll do another audit, we have to negotiate with them the size of the sample and we spend about 15 man/days gathering all the required info they ask.

I did some work with Sun's Identity auditor and, from what I've been seeing, Oracle's product is even better and, I've seen that most of the information they ask would have been provided in a few hours with the help of this tool. I do stand by what I said here but, to be honest, someone from Identity Auditor team would do a much better job than me explaining this time savings.

Jaime is right: the Oracle IDM products have a lot of business value, and Oracle IT is using them for a lot more than I was able to cover in the short podcast that I posted.

I want to thank Jaime for his comments and perspective. We want these blog posts to be informative and honest – so if you have feedback for the Oracle IDM team on any topic discussed here, please post your comments below.

Tuesday Nov 13, 2012

Developing and Enforcing a BYOD Policy

On October 23, SANS released Part 1 of their Mobile Access Policy Survey (webcast link) and Part 2 was presented on October 25th (webcast link).

Join us this Thursday, November 15th as SANS and Oracle present a follow up webcast that will review the survey findings and present guidance on how to create a mobile access policy for employee owned devices, and how to enforce it using Oracle IDM.

Click this link to register: Developing and Enforcing a BYOD Policy

This will be an excellent opportunity to get the latest updates on how organizations are handling BYOD policies and managing mobile access.

We will have 3 speakers:

Tony DeLaGrange a Security Expert from Secure Ideas will review the main findings of the SANS Mobile Access Survey

Ben Wright, a SANS instructor, attorney and technology law expert will present guidance on how to create BYOD policy

Lee Howarth from Oracle Product Managment will review IDM techology that can be used to support and enforce BYOD policies.

Join us Thursday to hear about best practices and to get your BYOD questions answered. 

Monday Oct 29, 2012

SANS Mobility Policy Survey Webcast follow up

Hello Everyone!  If you missed the SANS mobility survey webcast on October 23 - here is a link to the replay and to the slides: [Warning -  you have to register to see the replay and to get the slides]

The webcast had a lot of great information about how organizations are setting up and managing their mobile access policies.  Here are a couple of key takeaways:

1.  Who is most concerned about mobile access policy?

Security Analysts >> CISOs >> CIOs - the focus is coming from the risk and security office - so what does that mean for the IT teams?

2. How important is mobile policy?

77% said "Critical" or "Extremely Important" - so this means mobile access policies will get a lot of attention.

 3. When asked about the state of their mobile policies:

Over 35% said they didn't have a mobile access policy and another 35% said they simply ask their employees to sign a usage agreement.  So basically ~70% of the respondents were not actively managing or monitoring mobile access.

Be sure to watch the webcast replay for all of the details.

Box, Oracle and RSA were all co-sponsors of the survey and webcast and all were invited to give a brief presentation at the end.

Friday Oct 26, 2012

Globe Trotters: Asian Healthcare CIOs need ‘Security Inside Out’ Approach

In our second edition of Globe trotters, wanted to share a feature article that was recently published in Enterprise Innovation., part of Questex Media Group, is Asia's premier business and technology publication.

The article featured MOH Holdings (a holding company of Singapore’s Public Healthcare Institutions) and highlighted the project around National Electronic Health Record (NEHR) system currently being deployed within Singapore.  According to the feature, the NEHR system was built to facilitate seamless exchanges of medical information as patients move across different healthcare settings and to give healthcare providers more timely access to patient’s healthcare records in Singapore. The NEHR consolidates all clinically relevant information from patients’ visits across the healthcare system throughout their lives and pulls them in as a single record. It allows for data sharing, making it accessible to authorized healthcare providers, across the continuum of care throughout the country.

In healthcare, patient data privacy is critical as is the need to avoid unauthorized access to the electronic medical records. As Alan Dawson, director for infrastructure and operations at MOH Holdings is quoted in the feature, “Protecting the perimeter is no longer enough. Healthcare CIOs today need to adopt a ‘security inside out’ approach that protects information assets all the way from databases to end points.”

Oracle has long advocated the ‘Security Inside Out’ approach. From operating systems, infrastructure to databases, middleware all the way to applications, organizations need to build in security at every layer and between these layers. This comprehensive approach to security has never been as important as it is today in the social, mobile, cloud (SoMoClo) world.

To learn more about Oracle’s Security Inside Out approach, visit our Security page. And for more information on how to prevent unauthorized access, streamline user administration, bolster security and enforce compliance in healthcare, learn more about Oracle Identity Management.

Monday Oct 22, 2012

Free SANS Mobility Policy Survey Webcast - October 23rd @10:00 am PST

Join us for a free webcast tomorrow, October 23 @ 10:00 am PST as SANS presents the findings from their mobility policy survey.

-- Register here for Part 1:

This is a great opportunity to see where companies are with respect to mobile access policies and overall mobile application management.

This first part is entitled: BYOD Wish Lists and Policies.  Part 2 will be run on October 25th and is entitled: BYOD security practices.

-- Register here for Part 2:

Friday Oct 19, 2012

Oracle presentations at the CIPS ICE Conference, November 5 - 7, Edmonton, Alberta, Canada

Oracle will be presenting at the CIPS ICE conference the last week of October in Calgary and the first week of November in Edmonton.

Here is a list of the presentations for Edmonton: SHAW Conference Centre

• Session Title: Identity and Access Management Integrated; Analyzing the Platform vs Point Solution Approach
• Speaker: Darin Pendergraft
• Monday, November 5th @ 10:45 AM - 12:00 PM

• Session Title: Is Your IT Security Strategy Putting Your Institution at Risk?
• Speaker: Spiros Angelopoulos
• Monday, November 5th @ 1:45 PM - 3:00 PM

Three sessions under the TRAIN: Practical Knowledge Track

• Monday, November 5th @ 10:45 AM, 1:45 PM, 3:30 PM
• Title: What's new in the Java Platform
   Presenter: Donald Smith
• Title: Java Enterprise Edition 6
   Presenter: Shaun Smith
• Title: The Road Ahead for Java SE, JavaFX and Java EE
   Presenters: Donald Smith and Shaun Smith

To learn more about the conference, and to see the other sessions go to the conference website.

Wednesday Oct 17, 2012

Oracle on Oracle: How Oracle IT uses Oracle IDM

Sometimes, the toughest customers are your own employees.  Chirag Andani runs the Product Development Security IT Group - which means that his group is responsible for internal Identity Management and Security inside Oracle.

Like a lot of large, global companies, Oracle has a complicated and dynamic IT infrastructure which continues to change as the company grows and acquires companies.

I caught up with Chirag and asked him what kinds of problems his team faces, and asked him what he thinks about Oracle IDM, and 11gR2 in particular.

Listen to the podcast interview here: podcast link and check out his presentation below.


Tuesday Oct 16, 2012

ICAM Webcast Replay and slides

On October 10, 2012 Derrick Harcey and I co-presented on how Oracle IDM helps customers address the guidelines of Identity Credential Access Management, from a Federal (FICAM) and a State (SICAM) perspective.

If you missed the webcast, here is a link to the replay:  webcast replay link.

Derrick did a nice job reviewing the various ICAM components and architectures, and then invited me to provide additional detail on the Oracle technology stack.  He then closed by mapping the ICAM architectures to various components of the Oracle IDM platform.

The next webcast in the Secure Government Training Series, Safeguarding Government Cyberspace will be held Wednesday, November 28th.

Thursday Oct 11, 2012

Guest Blog: Secure your applications based on your business model, not your application architecture, by Yaldah Hakim

Today’s businesses are looking for new ways to engage their customers, embrace mobile applications, while staying in compliance, improving security and driving down costs.  For many, the solution to that problem is to host their applications with a Cloud Services provider, but concerns that a hosted application will be less secure continue to cause doubt.

Oracle is recognized by Gartner as a leader in the User Provisioning and Identity and Access Governance magic quadrants, and has helped thousands of companies worldwide to secure their enterprise applications and identities.  Now those same world class IDM capabilities are available as a managed service, both for enterprise applications, as well has Oracle hosted applications.

--- Listen to our IDM in the cloud podcast to hear Yvonne Wilson, Director of the IDM Practice in Cloud Service, explain how Oracle Managed Services provides IDM as a service ---

Selecting OracleManaged Cloud Services to deploy and manage Oracle Identity Management Services is a smart business decision for a variety of reasons.

Oracle hosted Identity Management infrastructure is deployed securely, resilient to failures, and supported by Oracle experts. In addition, Oracle  Managed Cloud Services monitors customer solutions from several perspectives to ensure they continue to work smoothly over time. Customers gain the benefit of Oracle Identity Management expertise to achieve predictable and effective results for their organization.

Customers can select Oracle to host and manage any number of Oracle IDM products as a service as well as other Oracle’s security products, providing a flexible, cost effective alternative to onsite hardware and software costs.

Security is a major concern for all organizations- making it increasingly important to partner with a company like Oracle to ensure consistency and a layered approach to security and compliance when selecting a cloud provider.  Oracle Cloud Service makes this possible for our customers by taking away the headache and complexity of managing Identity management infrastructure and other security solutions.

For more information:


Facebook -

Friday Oct 05, 2012

This Week in Pictures: Oracle OpenWorld 2012

Here's a snapshot of the week that pictures!

Oracle OpenWorld 2012 was bigger and better than ever.

Security and Identity Management had quite a presence at the conference.

Both inside the sessions and outside, there were plenty of networking opportunities.

Captured some shots yourself? Do share your pictures from the conference...

Thursday Oct 04, 2012

Thursday at OpenWorld: Identity Management

Before you know it, we are at the last day at Oracle OpenWorld. But just the same, Thursday is packed with informational, educational and networking opportunities.

Here’s what is in store for you today:

Thursday, October 4, 2012

CON5749: Solutions for Migration of Oracle Waveset to Oracle Identity Manager
11:15 a.m. – 12:15 p.m., Moscone West 3008

Many customers of Oracle Waveset (formerly Sun Identity Manager) are planning a migration to the strategic provisioning product Oracle Identity Manager. There are several approaches to migrating to Oracle Identity Manager. Presented by Hub City Media and Oracle, this session covers these various approaches to help you select the optimum choice for your implementation.

CON9640: Evolving Identity Management
12:45 p.m. – 1:45 p.m., Moscone West 3008

Identity management requirements have evolved and are continuing to evolve as organizations seek to secure cloud and mobile access.  Customers are seeing good success reducing costs and supporting business growth with by embracing a service-oriented, platform approach to addressing identity management requirements.  This session will explore these emerging requirements and share best practices for evolving your implementation.

CON9662: Securing Oracle Applications with the Oracle Enterprise Identity Management Platform
2:15 p.m. – 3:15 p.m., Moscone West 3008

Oracle Enterprise Identity Management solutions are designed to secure access and simplify compliance to Oracle Applications.  Whether you are an EBS customer looking to upgrade from Oracle Single Sign-on or a Fusion Application customer seeking to leverage the Identity instance as an enterprise security platform, this session with Qualcomm and Oracle will help you understand how to get the most out of your investment.

HOL10479: Integrated Identity Governance
12:45 p.m. – 1:45 p.m., Marriott Marquis – Salon 1/2

This hands-on lab demonstrates Oracle’s integrated and self-service-oriented identity governance solution, which includes simple access request, business-user-friendly access certification, closed-loop remediation, and both standard and privileged accounts.

For a complete listing, refer to the Focus on Identity Management document. And as always, you can find us on @oracleidm on twitter and FaceBook. Use #oow and #idm to join in the conversation.

Wednesday Oct 03, 2012

Wednesday at OpenWorld: Identity Management

Divide and conquer! Yes, divide and conquer today at Oracle OpenWorld with your colleagues to make the most of all things Identity Management since there’s a lot going on.

Here’ the line-up for today:

Wednesday, October 3, 2012

CON9458: End End-User-Managed Passwords and Increase Security with Oracle Enterprise Single Sign-On Plus
10:15 a.m. – 11:15 a.m., Moscone West 3008

Most customers have a broad variety of applications (internal, external, web, client server, host etc) and single sign-on systems that extend to some, but not all systems. This session will focus on how customers are using enterprise single sign-on can help extend single sign-on to virtually any application, without costly application modification while laying a foundation that will enable integration with a broader identity management platform.

CON9494: Sun2Oracle: Identity Management Platform Transformation
11:45 a.m. – 12:45 p.m., Moscone West 3008

Sun customers are actively defining strategies for how they will modernize their identity deployments. Learn how customers like Avea and SuperValu are leveraging their Sun investment, evaluating areas of expansion/improvement and building momentum.

CON9631: Entitlement-centric Access to SOA and Cloud Services
11:45 a.m. – 12:45 p.m., Marriott Marquis, Salon 7

How do you enforce that a junior trader can submit 10 trades/day, with a total value of $5M, if market volatility is low? How can hide sensitive patient information from clerical workers but make it visible to specialists as long as consent has been given or there is an emergency? In this session, Uberether and HerbaLife take the stage with Oracle to demonstrate how you can enforce such entitlements on a service not just within your intranet but also right at the perimeter.

CON3957 - Delivering Secure Wi-Fi on the Tube as an Olympics Legacy from London 2012
11:45 a.m. – 12:45 p.m., Moscone West 3003

In this session, Virgin Media, the U.K.’s first combined provider of broadband, TV, mobile, and home phone services, shares how it is providing free secure Wi-Fi services to the London Underground, using Oracle Virtual Directory and Oracle Entitlements Server, leveraging back-end legacy systems that were never designed to be externalized. As an Olympics 2012 legacy, the Oracle architecture will form a platform to be consumed by other Virgin Media services such as video on demand.

CON9493: Identity Management and the Cloud
1:15 p.m. – 2:15 p.m., Moscone West 3008

Security is the number one barrier to cloud service adoption.  Not so for industry leading companies like SaskTel, ConAgra foods and UPMC. This session will explore how these organizations are using Oracle Identity with cloud services and how some are offering identity management as a cloud service.

CON9624: Real-Time External Authorization for Middleware, Applications, and Databases
3:30 p.m. – 4:30 p.m., Moscone West 3008

As organizations seek to grant access to broader and more diverse user populations, the importance of centrally defined and applied authorization policies become critical; both to identify who has access to what and to improve the end user experience.  This session will explore how customers are using attribute and role-based access to achieve these goals.

CON9625: Taking Control of WebCenter Security
5:00 p.m. – 6:00 p.m., Moscone West 3008

Many organizations are extending WebCenter in a business to business scenario requiring secure identification and authorization of business partners and their users. Leveraging LADWP’s use case, this session will focus on how customers are leveraging, securing and providing access control to Oracle WebCenter portal and mobile solutions.


Identity Management Customer Advisory Board
2:30 p.m. – 3:30 p.m., Four Seasons – Yerba Buena Room

This invitation-only event is designed exclusively for Customer Advisory Board (CAB) members to provide product strategy and roadmap updates.

Identity Management Meet & Greet Networking Event
3:30 p.m. – 4:30 p.m., Meeting Session
4:30 p.m. – 5:30 p.m., Cocktail Reception
Yerba Buena Room, Four Seasons Hotel, 757 Market Street, San Francisco

The CAB meeting will be immediately followed by an open Meet & Greet event hosted by Oracle Identity Management executives and product management team. Do take this opportunity to network with your peers and connect with the Identity Management customers.

For a complete listing, refer to the Focus on Identity Management document. And as always, you can find us on @oracleidm on twitter and FaceBook. Use #oow and #idm to join in the conversation.

Friday Sep 28, 2012

Identity Globe Trotters (Sep Edition): The Social Customer

Welcome to the inaugural edition of our monthly series - Identity Globe Trotters. Starting today, the last Friday of every month, we will explore regional commentary on Identity Management. We will invite guest contributors from around the world to share their opinions and experiences around Identity Management and highlight regional nuances, specific drivers, solutions and more.

Today's feature is contributed by Michael Krebs, Head of Business Development at esentri consulting GmbH, a (SOA) specialized Oracle Gold Partner based in Ettlingen, Germany. In his current role, Krebs is dealing with the latest developments in Enterprise Social Networking and the Integration of Social Media within business processes. 

By Michael Krebs

The relevance of "easy sign-on" in the age of the "Social Customer"

With the growth of Social Networks, the time people spend within those closed "eco-systems" is growing year by year. With social networks looking to integrate search engines, like Facebook announced some weeks ago, their relevance will continue to grow in contrast to the more conventional search engines. This is one of the reasons why social network accounts of the users are getting more and more like a virtual fingerprint.

With the growing relevance of social networks the importance of a simple way for customers to get in touch with say, customer care or contract departments, will be crucial for sales processes in critical markets. Customers want to have one single point of contact and also an easy "login-method" with no dedicated usernames, passwords or proprietary accounts. The golden rule in the future social media driven markets will be: The lower the complexity of the initial contact, the better a company can profit from social networks. If you, for example, can generate a smart way of how an existing customer can use self-service portals, the cost in providing phone support can be lowered significantly.

Recruiting and Hiring of "Digital Natives"

Another particular example is "social" recruiting processes. The so called "digital natives" don´t want to type in their profile facts and CV´s in proprietary systems. Why not use the actual LinkedIn profile? In German speaking region, the market in the area of professional social networks is dominated by XING, the equivalent to LinkedIn. A few weeks back, this network also opened up their interfaces for integrating social sign-ons or the usage of profile data for recruiting-purposes.

In the European (and especially the German) employment market, where the number of young candidates is shrinking because of the low birth rate in the region, it will become essential to use social-media supported hiring processes to find and on-board the rare talents. In fact, you will see traditional recruiting websites integrated with social hiring to attract the best talents in the market, where the pool of potential candidates has decreased dramatically over the years.

Identity Management as a key factor in the Customer Experience process

To create the biggest value for customers and also future employees, companies need to connect their HCM or CRM-systems with powerful Identity management solutions. With the highly efficient Oracle (social & mobile enabling) Identity Management solution, enterprises can combine easy sign on with secure connections to the backend infrastructure. This combination enables a "one-stop" service with personalized content for customers and talents. In addition, companies can collect valuable data for the enrichment of their CRM-data. The goal is to enrich the so called "Customer Experience" via all available customer channels and contact points. Those systems have already gained importance in the B2C-markets and will gradually spread out to B2B-channels in the near future.

Conclusion: Central and "Social" Identity management is key to Customer Experience Management and Talent Management

For a seamless delivery of "Customer Experience Management" and a modern way of recruiting the best talent, companies need to integrate Social Sign-on capabilities with modern CX - and Talent management infrastructure. This lowers the barrier for existing and future customers or employees to get in touch with sales, support or human resources. Identity management is the technology enabler and backbone for a modern Customer Experience Infrastructure. Oracle Identity management solutions provide the opportunity to secure Social Applications and connect them with modern CX-solutions. At the end, companies benefit from "best of breed" processes and solutions for enriching customer experience without compromising security.

About esentri:

esentri is a provider of enterprise social networking and brings the benefits of social network communication into business environments. As one key strength, esentri uses Oracle Identity Management solutions for delivering Social and Mobile access for Oracle’s CRM- and HCM-solutions.

…..End Guest Post….

With new and enhanced features optimized to secure the new digital experience, the recently announced Oracle Identity Management 11g Release 2 enables organizations to securely embrace cloud, mobile and social infrastructures and reach new user communities to help further expand and develop their businesses.

Additional Resources:

Oracle Identity Management 11gR2 release

Oracle Identity Management website

Datasheet: Mobile and Social Access (pdf)

IDM at OOW: Focus on Identity Management

Facebook: OracleIDM

Twitter: OracleIDM

We look forward to your feedback on this post and welcome your suggestions for topics to cover in Identity Globe Trotters. Last Friday, every month!

Wednesday Sep 26, 2012

11gR2: BETA Customer perspective with special guest, Ravi Meduri from Kaiser Permanente

Before Oracle IDM 11gR2 launched, we had a very successful BETA program. Kaiser was one of many great companies that participated, and I caught up with Ravi Meduri, IAM Systems Engineering Manager to ask him what he thought of the new release.

Listen to our podcast interview here: podcast interview  to hear Ravi talk about scalability and high availability features in 11gR2.

Thursday Sep 20, 2012

Sun2Oracle: Upgrading from DSEE to the next generation Oracle Unified Directory - webcast follow up

Thanks to all of the guest speakers on our Sun2Oracle webcast: Steve from Hub City Media, Albert from UCLA and our own Scott Bonell.

If you missed the webcast here is a link: Webcast Replay

During the webcast, we tried to answer as many questions as we could, but there were a few that we needed a bit more time to answer.  Albert from UCLA sent me the following information:

Alternate Directory Evaluation

We were happy with Sun DSEE. OUD, based on the research we had done, was a logical continuation of DSEE.  If we moved away, it was to to go open source.

UCLA evaluated OpenLDAP, OpenDS, Red Hat's 389 Directory. We also briefly entertained Active Directory.

Ultimately, we decided to stay with OUD for the Enterprise Directory, and adopt OpenLDAP for the non-critical edge directories.


For Enterprise Directory, UCLA runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. We run 2 of those servers at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups.

You mentioned federation, was that an important requirement for UCLA?

Yes. UCLA collaborates heavily with other higher education institutions around the country/world. We often have researchers wanting to sign into services provided by fellow higher ed institutions. We also have plenty of visiting scholars or collaborating researchers from other institutions accessing UCLA services. Higher education communities around the world have deployed Shibboleth/SAML-based federated IDM solutions to facilitate these collaborations:

And a more comprehensive listing of federations around the world:

What was the net change in hardware footprint?

Not much actually. We kept the same server/network topology: 

  • two servers at our local data center, one at our remote DR data center. 
  • the servers replicate in real time via multi-master replication. 
  • 1 of the servers at our local data center serves as the primary access server serving all query traffic. The other servers serve as hot standby.
  • On our old Sun DSEE servers - we ran Red Hat Enterprise Linux AS release 4 (Nahant Update 8) - 32bit.  On the new OUD servers - Red Hat Enterprise Linux Server release 5.7 (Tikanga) - 64bit

The only changes we made during the upgrade were that we upgraded the software from DSEE 6.3, upgraded Linux, and that we bought new servers. The old servers were Dell PowerEdge 2850's. The new ones are Dell PowerEdge R710's.

What is your hardware specification for one OUD 11g server…

Can you explain the HA/DR architecture a bit more?

RAM size, CPU type, and number?

We runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. 2 of those servers run at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups. 

Our IDM architecture is highly modular. All external access to the enterprise directory run through a service layer. This layer is consists of Shibboleth, a set of data update web services and loading programs, and a number of edge directories. All service layer components can be easily configured (some automatically) to seek out the secondary directory servers when the primary goes down. We take advantage of this capability during maintenance to keep the services available.  

FYI, our servers are hosted in a tier 2.5 data center (We have tier 3-like capability for critical servers such as OUD, but we don't have that for all servers in the data center).

What was the cost of the migration?

 Because of the labor and equipment cost differences, I don't think my numbers will be all that accurate. I can say the following:

  • We engaged Hub City Media for just about 1.5 months worth of work.
  • We had one system engineer working full time on the project throughout the 4 month period. He also managed the project.
  • We had fractional support/transition coordination from our Infrastructure Services team (sys admin, operations, networking), probably about 80 hours
  • We purchased 3 of the servers described above.
  • We purchased the OUD software.

How much testing did you do? Did you do load testing?

Yes. We conducted several passes of data loading/validation tests. In addition, we ran security vulnerability scans and ran multi stress tests ranging from peak stress tests to sustained, multi-day simulations. Sorry. We can't release test result data, but I can say that OUD passed with flying colors.

We only had one engineer working on the project. Between test prep, run, and analysis, testing did take about a month.

Was the OUD Proxy used at UCLA?

No. We considered it, and might still consider it as we revise our architecture. But for the migration, we did not introduce the Proxy.

Can OUD Server and DSEE replicate each other?

Yes, but with caveats. There is no direct replication between OUD 11g and Sun DSEE 6.3. You need to place Oracle DSEE in between. In addition, there is an undisclosed cap on the replication rate. All of this may have changed since we worked on the project though. :-)

Wednesday Sep 19, 2012

Security Newsletter – September Edition is Out Now


The September issue of Security Inside Out Newsletter is out now. This month’s edition offers a preview of Identity Management and Security events and activities scheduled for Oracle OpenWorld. Oracle OpenWorld (OOW) 2012 will be held in San Francisco from September 30-October 4. Identity Management will have a significant presence at Oracle OpenWorld this year, complete with sessions featuring technology experts, customer panels, implementation specialists, product demonstrations and more. In addition, latest technologies will be on display at OOW demogrounds. Hands-on-Labs sessions will allow attendees to do a technology deep dive and train with technology experts.

Executive Edge @ OpenWorld also features the very successful Oracle Chief Security Officer (CSO) Summit. This year’s summit promises to be a great educational and networking forum complete with a contextual agenda and attendance from well known security executives from organizations around the globe.

This month’s edition also does a deep dive on the recently announced Oracle Privileged Account Manager (OPAM). Learn more about the product’s key capabilities, business issues the solution addresses and information on key resources. OPAM is part of Oracle’s complete and integrated Oracle Identity Governance solution set.

And if you haven’t done so yet, we recommend you subscribe to the Security Newsletter to keep up to date on Security news, events and resources.

As always, we look forward to receiving your feedback on the newsletter and what you’d like us to cover in the upcoming editions.

Tuesday Sep 18, 2012

Webcast Reminder: Implementing IDM in Healthcare, September 19th @10:00 am PST

Join me and Rex Thexton from PwC tomorrow (September 19th) as we review an IDM project that Rex and his team completed for a large healthcare organization.  Rex will talk through the IT environment and business drivers that lead to the project, and then we will go through planning, design and implementation of the Oracle Identity Management products that PwC and the customer chose to complete the project.

This will be a great opportunity to hear about the trends that are driving IT Healthcare, and to get your Identity Management questions answered.

If you haven't already registered - Register Here!


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016