Tuesday Jun 18, 2013

The Keys to the Password Vault by Matthew Scott (aurionPro SENA)

Super user accounts are, unfortunately, a necessary evil. It’s just a fact of life in the IT industry that someone, somewhere, has to have the ability to make fundamental (and therefore potentially catastrophic!) changes to key systems.

One of my least favourite experiences as a consultant was gaining access to an account though a process that was reminiscent of a spy thriller  – the password was typed onto a card, which was cut in two, with each half stored in a separate safe and each key entrusted to a meticulous security officer. Navigating the procedures to get the halves together in time to be useful was a trial of persuasion and scheduling – I can see why Tom Cruise prefers to abseil in through the roof instead of filling in yet another form!

Compliance officers are increasingly scrutinising privileged accounts and the processes that control access to them – not surprisingly, since surveys have shown that up to a quarter of IT professionals have experienced misuse of such accounts, and almost half of all companies fail to manage these accounts in accordance with the law (http://www.computerweekly.com/news/2240111956/One-in-four-IT-security-staff-abuse-admin-rights-survey-shows). The results can be spectacular and sobering – the UBS trader Kweku Adoboli cost his company $2.3 billion after making disastrous trades using a privileged account which he was not authorised to use.

Thankfully, there is now a better way. As we’ve seen in this series, with the ESSO suite the technology exists to manage user passwords without the user having to actually ‘know’ that password. It is possible to extend this functionality to include those previously hard to manage privileged accounts by introducing Oracle Privileged Accounts Manager (OPAM). OPAM acts as a secure password vault for privileged accounts, but unlike other password vaults it can be connected directly to the ESSO Logon Manager agent so that passwords can be requested, obtained and used, all from the user’s desktop.

OPAM is particularly useful for companies with large, decentralised UNIX environments. We are currently engaged with a large financial organisation which has several hundred servers, with various distributions of Linux and UNIX that are managed by different teams. With OPAM, all those precious root accounts have for the first time been corralled together in one location, where they can be released as needed to any authorised user. OPAM is equally adept at managing identities stored in directories, including Windows service accounts within Active Directory.

To calm the fears of any compliance officers who may be reading these words nervously, it is possible to implement workflows to control the request process. This may include approvals from a higher authority, complete with email or mobile notifications to the approver. And of course ESSO and OPAM feature end-to-end audit trails – from request, to check out, to each use of the privileged account, through to check in. Tracking who has being doing what with each account has never been easier.

In addition to managing privileged accounts, the ESSO suite also allows users to distribute their personal accounts in a similar manner. Many of us have experienced the frustration of needing access to a system, a record or an email only to discover that the person with access is on holiday or otherwise unavailable. In extreme cases, this may require that the absent user’s Windows account be reset to allow another user to log on and gain access. ESSO’s Account Delegation allows these key users to pro-actively devolve their account credentials to another user for a set period – no passwords required!

Tuesday Jun 04, 2013

Putting the EASY into ESSO! by Matthew Scott (aurionPro SENA Blog Series - Ch1)

Enterprise Single Sign-On occupies an unusual position in the field of IAM. In automating the sign-on of users to their applications, it is somewhat uniquely, a client-side application. For some of our customers, the role of enterprise SSO in an IAM programme isn’t entirely clear. I’ve spoken with many security architects who view its use as somehow tantamount to cheating. Surely, they assert, if we fully integrate systems at the back-end then the need for a client component doing sign-on becomes unnecessary. Architecturally this may be true. But the realities are that users have issues with passwords right now. Enterprise single sign-on addresses problems immediately. However, it’s also much more than just a tool that signs the user on to anything from their desktop. It is a tool that can be used to solve related business problems and technical challenges just as well as it can deliver users from their credential nightmares.

In this series of four articles, we will explore how enterprise SSO can be used to deliver these additional benefits. We will cover zero touch credential provisioning, making enterprise single sign-on an integrated part of an IAM programme and the management of delegated accounts. First, however, we’ll start with an easy one… making everyone happy all at the same time!

Capturing business requirements for identity and access management projects can be an art. There are so many interested parties – technical, legal, HR, end-users, application owners to name but a few – that it’s rare to reach a speedy consensus. I was in one such meeting with a customer a while back who were trying to explore what the success criteria would be for their enterprise single sign-on initiative. Relatively straightforward, you’d think, but after five hours the customer was still going round in circles! It wasn’t until the project sponsor finally arrived at the meeting and spoke about his vision that sanity was restored. His single request? His single measure? “Make it easy for my users!” That’s all he wanted. If other benefits accrued, that was a bonus.

Oracle’s Enterprise Single Sign-non Suite Plus (Oracle ESSO) is designed to do precisely what the project sponsor wanted. It includes a number of technologies designed to relieve the pain of passwords, by reducing the number of forgotten or incorrect credentials that a user has, whilst simultaneously making it easier to provide those same credentials to users without compromising security. What’s more, these benefits can be obtained surprisingly quickly – Oracle ESSO has a very light footprint and a flexible framework approach to managing credentials for almost any application. Web, Windows, Cloud or mainframe, passwords can quickly be eliminated as a source of pain for users and IT staff alike.

Oracle ESSO takes the management of credentials away from users. It stores passwords in a secure manner so that the user cannot forget it. It manages the password lifecycle, securely updating credentials when they expire. And it streamlines the user experience – application logon is handled automatically, so the user can get to work immediately without having to fumble over the username and password.

Of course, Oracle ESSO also allows the organisation to achieve lots of other benefits if it’s implemented correctly – reduced number of calls to helpdesk, increased productivity through faster password resets and so on. But fundamentally, as a user-facing tool it has to be one that’ll gain rapid acceptance for its deployment to be heralded as a success. The additional benefits won’t appear if the users don’t adopt the new tools they’re given.

aurionPro SENA has considerable experience with the Oracle ESSO suite. In fact, we’ve got the deployment of Oracle ESSO down to a fine art. Referring back to our original customer above – speed of deployment was important. “Proof of concept in days, pilot in weeks, deployment in two months” was the mantra. All with no significant operational impact on either end-users or IT personnel. We helped the customer achieve these goals. Deploying Oracle ESSO requires a delicate balance of technical knowledge, light-touch project management and extremely well-managed engagement with the end-user community. The last element is the most important. Involving key users as early as possible when their applications are being ‘profiled’ for single sign-on helps to ensure that they buy in to the end goal. They understand how Oracle ESSO will enhance the way that they work and are keen to share this with other users. If done right, a cascade of anticipation can ripple through the user community so that, rather than fearing change as can often happen with IT projects, the users are willing the change to arrive sooner! The use of appropriate briefing tools, promotion of the new system and similar techniques can further enhance the effectiveness of the final Oracle ESSO rollout.

So, Oracle ESSO makes it easy for end-users. That’s great, that’s exactly what our customer wanted, and it’s what any user-facing application should strive to do. Deploying Oracle ESSO, when managed properly, is one of those very unusual IT projects, though. Not only does it make things easier for end-users, it also makes things easier for IT support teams, helpdesk operators, auditors and a whole range of teams within the organisation. So it’s win-win all round.

But this is just the starting point. Oracle ESSO acts as a great launch pad for customers looking to further streamline credential management, giving users a better experience whilst also improving security and providing previously unavailable audit data. Stay tuned as we demonstrate how you can unlock the potential of Oracle ESSO.

 

Monday Feb 18, 2013

BAE Systems Maritime – Submarines Division Builds Security with Oracle Enterprise Single Sign-On

The Company:

BAE Systems is one of world’s largest global defense, aerospace, and security companies, employing approximately 93,500 people. BAE Systems Maritime – Submarines division designs and manufactures submarines for the United Kingdom Ministry of Defense and the Royal Navy.

Business Challenges:

  • Automate user authentication across their entire application environment as part of a wider program to implement a new enterprise resource planning (ERP) system
  • Improve and strengthen security and user efficiency throughout the 20-year development and build cycle for submarines
  • Enable simplified single sign-on across all systems including legacy applications
  • Enforce segregation of duty (SoD) among staff by restricting and controlling application access to better meet financial regulatory guidelines
  • Improve employee on-boarding and off-boarding to optimize application licenses

Solution:

BAE Systems worked with Oracle partner, aurionPro SENA to implement Oracle Enterprise Single Sign-On Suite to enable secure, simplified access for employees required for designing and building submarines over a 20-year lifecycle. The implementation allowed BAE Systems to secure user access to critical systems and enforce segregation of duties.

Additional benefits included improved user efficiency and reduced service-desk requests by eliminating the need for employees to remember passwords for 20 to 30 key applications, in addition to an array of periphery systems required to develop submarines. The company was also able to better manage regulatory requirements now having just a single source of truth to determine user access.

For more information on BAE Systems’ implementation, check out the case study.

Monday Jan 07, 2013

Partner Blog Series: aurionPro SENA - Who Moved My Security Boundary? - Part 1

The “Always On” Culture

This is the first in a small series of blogs on the changing nature of identity within organizations, from both an internal and a consumer perspective.  In this we have considered how the pace of change is forcing traditional approaches to be developed to accommodate the needs and likes of the target population more than ever. 

A large part of the culture change we see is that of the Always on Culture.  “Instant gratification” may be too bold a statement, but the essence of this is ensuring the right person can see the information they want, when, where and how they wish to; but within the boundaries of what is appropriate for the data they are viewing.  If we don’t provide the information, our competitors may do so and gain critical advantage.  

So what is the fuss about?  Users are more demanding than they have ever been.  Arguably they don’t care about what is appropriate for the provider of the information, or at least not until it is something that directly affects them.  At a very personal level, we may want to have access to say our medical records when and where we wish.  Conversely, when we learn that those same records have been viewed by a myriad of people with no meaningful reason, we get upset.  Appropriate use, then is the key both for the provider and the consumer of the data.

Traditional security approaches are only a part of the solution.  In fact, if our identity approach is broken, then traditional security approaches can be meaningless.  If I don’t know who you are, what your rights are, why am I doing anything with you at all?  Balancing this, balancing consumer, user, provider and of course legislative requirements is fundamentally not delivered without good Identity and Access Management.  Know your target audience, know the context of their request for information – where, how, when – and drive your response by these. 

In the follow on article, we’ll be reflecting on an associated consideration, that of BYOD (Bring Your Own Device) and what this really means, both for the user and the employer.

If you’ve a deeper view of the Always on Culture and what organisations should be doing to respond to this, or fundamentally see this from a different perspective, let us know.  There is no one right approach.  Without good Identity and Access Management, though, I’d staunchly argue there are plenty of wrong ones.

About the Writer:

Mike Nelsey, Managing Director, aurionPro SENA

Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.

Monday Dec 17, 2012

Partner Blog: aurionPro SENA - Mobile Application Convenience, Flexibility & Innovation Delivered

About the Writer:

Des Powley is Director of Product Management for aurionPro SENA inc. the leading global Oracle Identity and Access Management specialist delivery and product development partner.

In October 2012 aurionPro SENA announced the release of the Mobile IDM application that delivers key Identity Management functions from any mobile device.

The move towards an always on, globally interconnected world is shifting Business and Consumers alike away from traditional PC based Enterprise application access and more and more towards an ‘any device, same experience’ world. It is estimated that within five years in many developing regions of the world the PC will be obsolete, replaced entirely by cheaper mobile and tablet devices. This will give a vast amount of new entrants to the Internet their first experience of the online world, and it will only be via these newer, mobile access channels.

Designed to address this shift in working and social environments and released in October of 2012 the aurionPro SENA Mobile IDM application directly addresses this emerging market and requirement by enhancing administrators, consumers and managers Identity Management (IDM) experience by delivering a mobile application that provides rapid access to frequently used IDM services from any Mobile device.

Built on the aurionPro SENA Identity Service platform the mobile application uses Oracle’s Cloud, Mobile and Social capabilities and Oracle’s Identity Governance Suite for it’s core functions. The application has been developed using standards based API’s to ensure seamless integration with a client’s on premise IDM implementation or equally seamlessly with the aurionPro SENA Hosted Identity Service.

The solution delivers multi platform support including iOS, Android and Blackberry and provides many key features including:

Providing easy to access view all of a users own access privileges

The ability for Managers to approve and track requests

Simply raising requests for new applications, roles and entitlements through the service catalogue

This application has been designed and built with convenience and security in mind. We protect access to critical applications by enforcing PIN based authentication whilst also providing the user with mobile single sign on capability.

This is just one of the many highly innovative products and services that aurionPro SENA is developing for our clients as we continually strive to enhance the value of their investment in Oracle’s class leading 11G R2 Identity and Access Management suite.

The Mobile IDM application is a key component of our Identity Services Suite that also includes Managed, Hosted and Cloud Identity Services. The Identity Services Suite has been designed and built specifically to break the barriers to delivering Enterprise, Mobile and Social Identity Management services from the Cloud.

aurionPro SENA - Building next generation Identity Services for modern enterprises.

To view the app please visit http://youtu.be/btNgGtKxovc

For more information please contact des.powley@aurionprosena.com

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today