Tuesday Nov 17, 2015

The Lifecycle Management Opportunities of a Data Breach (Part 3) - Simeio Solutions

Identity lifecycle management is one of the most critical parts of a security and identity and access management program.  Identifying the assets and setting a baseline for acceptable risk needs to be considered before starting any security lifecycle project and must involve the proper stakeholders.  Let's refer back to our original blog post where we discussed the Ashley Madison breach.  When the company began, they had advertised their service with a commitment to delete customer info upon their request, but as the headline breach revealed, that was not the case.  The hackers were able to expose data related to tens of millions of accounts which suggests some part of the identity lifecycle management process was not properly followed.   The fact that so much data was compromised from the Database could imply that the attack originated there.  Soon after the attack, it was reported that a former contractor for the company may have been one of the responsible parties.

To some degree, we had a perfect storm brewing.  We had a company that was offering a service that some felt was morally unethical.  We had large amounts of sensitive data stored un-encrypted in a Database.  And we appear to have privileged account access given to a contractor, which may not have been revoked upon separation from the organization.   There have also been some additional discoveries made on the end-user accounts as well – such as the fact that many of the customer accounts utilized very basic passwords – one password cracking group has claimed that they were able to crack 11 million users’ passwords.  This latter topic is beyond the scope of this blog, but suffice it to say that it is important for organizations to enforce strong password policies.  

It is easy to look at the Ashley Madison situation through the tinted lenses of morality and assume nobody should care, doesn’t apply to me or they had it coming.  The reality is, the scenarios at Ashley Madison should keep every security officer awake at night.  Regardless if the attack/theft and ransom is around the morally questionable content of users, or the confidential financial records of customers, the same steps must be made to prevent the same outcome.

In our last blog we talked about privileged account access and how OPAM protects the keys to the kingdom.  But what about the everyday lifecycle of an employee or a contractor?  How do they request and receive access to the assets they need to do their job and nothing more?  How do we take away access rights as their relationship with the company changes (promotions, re-assignments, terminations)?

The Oracle Identity Governance Suite (OIG) enables us to manage entities across different targets/applications in a centralized manner. The solution can address the most complex business and security requirements without changing existing policies, procedures or target sources.

Self-service enables users to raise requests for themselves for access to particular resources or entitlements. It allows for fine-grained configuration such as restricting a user's self-service capabilities by defining policies and rules based on user attributes. For example, taking a scenario where the user is a contractor, certain fields can be denied attributes for such user types. Thus reducing the time of UI customization and preventing users from modifying user data which is not expected.

OIG has built in Admin roles which can be used for carrying out Admin specific tasks. New customized Admin roles can be defined by adding capabilities to a particular organization scope. It allows the creation of attribute based assignment of Admin roles, thus we can define our own membership rules.
Request based approvals enable the respective stakeholders, like role owner or entitlement owner to be involved in the approval process.  This is an important capability for scenarios where a user needs access to a particular account or entitlement. In the latest OIG PS3 release, workflows were introduced as a replacement for approval policies and can provide more logical responses for end user requests.

Role lifecycle management provides an efficient mechanism to automate and scale the provisioning and logical grouping of accesses and controls as well as helping to detect violations which we will cover in more detail in our next blog.

OIG ensures that on-boarding and off-boarding actions are followed based on the start and end dates respectively. It provides a set of access policies which are role based (which in turn can be attribute based) which ensures that uniformity is maintained across various target systems. Role to Access policies mapping is done during role configuration. If this association is done with lifecycle management enabled, it goes through a role owner approval process, thus ensuring role owners are aware of provisioning actions. The provisioning process based on tasks ensures that the proper workflow is followed. Immediate access termination can be done by administrators from the Identity console for users which are found to violate policies whether accidental or malicious. 

Proper sunrise and sunset of account access and entitlements is critical for contractors or in scenarios where access to privileged accounts and entitlements needs to be granted to users – in such cases we can define start and end dates of a particular entitlement and thus control access for a particular period providing another layer of protection against misused access rights.  OIG can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly exploited security gap and opportunity for policy violations that can occur after the dismissal of an employee or contractor – which is the exact scenario that was assumed exploited at Ashley Madison.

The Oracle Identity Governance Suite can be used to establish a lifecycle management process that allows organization to have comprehensive governance of identities. It allows organizations to identify risks and make sure they address the organization’s defined policies. In the next blog in this series we will discuss more on certifications, audit, compliance and reporting and how it ties together with lifecycle management as part of a holistic security solution to enhance compliance.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Wednesday Nov 11, 2015

Managing the Keys to the Kingdom - Privileged/Shared Accounts - Simeio Solutions

This is our second in a series of commentaries on minimizing the risk of becoming the next front page news story on data breaches. 

Privileged and Shared Accounts are some of the most critical assets to manage in an organization since they provide broad access to systems and sensitive corporate and state information. Privileged Accounts are those that typically allow administration of a system or provide higher levels of access within a system such as Linux/Unix ‘root’ or Oracle Database ‘sys’.

There can be many reasons why a user with access to a privileged account does bad things - they were not given an expected raise, denied a vacation or a promotion, or maybe they disagree with the ethical and moral policies of their employer.  Poor password management practices, such as sharing passwords for privileged accounts, or falling prey to smart social hacking is a simple way for others with malicious intentions to gain access to the Keys to the Kingdom.  There can also be privileged escalation attacks where a user  can gain additional access to a system beyond what he or she has been authorized to have by exploiting a vulnerability in that system.

As we discussed in our last blog entry, most data breaches are caused by events such as employees losing, having stolen, or simply unwittingly misusing, corporate assets.  After questioning over 7,000 IT executives and employees across North America and Europe, a recent industry report has found that 31 percent of employees cited simple loss or theft of credentials as the explanation for data breaches they had experienced, ahead of inadvertent misuse by an employee 27 percent of the time. External attacks were mentioned in 25 percent of cases with abuse by malicious insiders at 12 percent. The same selection of causes was cited at much lower levels for business partners.

It is equally important to keep an eye on service accounts associated with test and demo environments.  The principle of least privilege is the key - only assign privileges which are necessary for an employee to effectively do their job, and put the necessary controls in place to remove privileges when no longer warranted. Start with the most restrictive state possible and build out from there.

Organizations are struggling to manage a large number of administrative accounts in a secure, efficient, and scalable way. So the problem is how to handle the situation where we only provide access to a privileged account when it’s required to perform a specific task and how do we audit and report on those situations.

Oracle Privileged Account Manager (OPAM)
Fortunately, there are technologies available to protect an organization’s privileged or shared accounts.  When coupled with industry best practices, a program can be put in place to ensure that your organization doesn’t become the next headline data breach story.  

The following diagram and flow sequence describes how Oracle Privileged Account Manager in conjunction with the Oracle Identity Governance Suite is used to protect the Keys to the Kingdom.  

Flow sequence:
1.    Requester raises request for access to certain systems, groups, etc..
2.    Approver (manager, system owner, etc.) can deny, approve, or delegate request.
3.    As per the roles and policies configured for this request, OIG will provision appropriate access.
4.    (Privileged) User will login to the OPAM self-service console and be authenticated for the request.
5.    OPAM allows the user, for example a database administrator, to use a privileged account by “checking out /check in” a password for a particular enterprise application, operating system, or database server.
6.    ICF connectors provide out of the box integration with various target systems.
7.    When session access is granted, a notification (text message or email) can be sent to an OPAM Admin/IT Security admin.  OPAM Admin/IT Security admin can keep/terminate the session as appropriate.

The request based flow as depicted above ensures that the proper admin team is notified for the access which the present users have. Policies and roles ensure that the only access granted to a user, is that which they require (as per the principle of least privilege). It is always critical to do a periodic review of the policies and roles that are configured.  Sunrise and sunset of accounts and entitlements, access violations and certifications can all be handled by Oracle Identity Manager which will be discussed in a future blog post.  The password policies in place here can ensure strong authentication standards are followed. Additionally, the end users don’t need to remember multiple passwords – they actually never have to see the password for these protected, privileged systems. 

Default passwords are prone to risks so OPAM is configured to automatically change the password and thereby eliminating the possibility of the password being reused.  The system is set to change the password on every check-in, thereby precluding the administrator from reusing the same password again and hence is less prone to sniffing of password of privileged accounts. There may be cases where we need to rollback our privileged account target and in that case OPAM maintains a password history.

OPAM additionally provides session management and auditing capabilities to address various use cases. The OPAM dashboard shows real time status. By creating a single access point to the target resources, OPAM Privileged Session Manager helps administrators to control and monitor all the activities within a privileged session. When session access is granted, a notification can be sent to an auditor. Compliant third-party clients (e.g. Putty, OpenSSH) are supported.  OPSM will monitor SSH session activities through keystroke logging and records the input/output for each session into searchable historical records (transcripts) to support forensic analysis and audit data. OPAM leverages an OPAM agent on the target to capture and record user activities into a MPEG-4 encoded video for Windows playback. OPAM audits and logs all operations and provides its own built-in audit reports.

Additional benefits of OPAM are further realized when deployed in conjunction with some of the other capabilities delivered through the Oracle Identity Governance Suite.  This integration provides an enterprise with a complete governance solution to support ordinary and privileged users in order to meet compliance requirements. We will go into greater depth in our next blog on how OIG provides a simple and robust solution to fully manage the user life cycle with all essential features to secure enterprise assets.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Tuesday Oct 27, 2015

Ensuring You Don’t Become the Next Data Breach Story (Part 1) - Simeio Solutions

Recent headline Cyber Crimes at major retailers, health insurers, and even US Government agencies suggest that those involved were not necessarily performed by criminal masterminds, but rather by individuals that at one time had been properly credentialed to access systems or by individuals that were simply exploring open doors to identify vulnerabilities,. As information technology moves further toward the cloud to provide services, we will start to see more security breaches on a greater scale than ever before.

The hack at Ashley Madison has captured the attention of the media on several continents. And it is of no surprise that the former CEO suggested that the hacking incident may have started with someone who at least at one time had legitimate, inside access to the company’s networks — such as a former employee or contractor. In another instance of data theft from a health insurer, it was determined that critical data and records were not properly encrypted leading to the theft of millions of records of personally identifiable information.

As per "The Federal Trade Commission", Identity theft was once again the number one complaint from Americans this year.

Oracle’s Defense-in-Depth strategy and solutions offered as part of the Oracle Identity Management suite of products can prevent the cyber breaches that we are becoming so accustomed to see on the nightly news.

Today’s blog will focus on a few specific capabilities of Oracle Identity Governance (OIG) and show how they can be used to protect against certain types of common exploits.

1. Privileged/Shared Accounts – Keys to the Kingdom.

Privileged and shared accounts unfortunately exist within every organization - designed at a time when security was an afterthought if even thought of at all. How does one prevent or limit privileged accounts like DB Admins from performing malicious actions when compromised? OIG provides session management and auditing capabilities which become the single point to control and monitor activities within privileged sessions. OIG will provide notification alerts on account checkout. You can also define the life of a session and limit the usage of commands.

2. User life cycle management – Role Appropriate Access and Removal of Orphaned Accounts

OIG allows for attribute based role management for application and administrator roles. One can define custom, fine-grained Admin roles. For new user on-boarding, privileges are based on roles, business rules and requests. We can also define sunrise and sunset of application and entitlements which limits the access of users such as contractors or temporary employees for defined time periods. Normal termination based on end date and immediate termination helps to remove privileges and accesses across all target systems. Simply, an individual should only have access and entitlements within and across applications to be effective at their job, and should lose access when they no longer have a business need.

3. Enforceable Password Policies – Start with the basics

Hard-coded passwords, weak/common passwords, and infrequently rotated passwords are at the center of some of the most commonly exploited attacks on organizations. OIG protects privileged/shared accounts with passwords that are mathematically infeasible to ever guess or break and can rotate them on a regular basis. Likewise, password policies can be set for all protected resources requiring individuals to use complex passwords and require regular password changing – making it impossible for an attacker to simply guess the right key to get them through the front door.

4. Protect and Audit

OIG provides the tools to protect privileged accounts. Checking credentials in and out, also allows us to keep track of who has been using these shared accounts. OIG goes one step further, and allows us to monitor specific session activities – capturing and recording user activities as an MPEG video.

Beyond privileged and shared accounts, OIG has powerful certification capabilities - whereby users, managers, and respective application owners can validate and check the accesses of individuals and their specific entitlements. Segregation of Duties (SOD) analysis is efficient and preventative, warning users about potential violations before even the submission of a request.

5. Encrypt the Data – If it cannot be read, it is useless.

There are many rules and regulations mandating encryption and it makes for sound advice regardless. For example, if you have to comply with the PCI-DSS standard, then credit card numbers need to be stored encrypted. OIG allows for encryption of critical attributes of applications – whether that might be credit card information, social security numbers, or other HR data. Additionally, while outside the core scope of this blog series, tools such as Oracle Advanced Security carries out strong encryption of databases to fully protect sensitive information whether at rest or in transit.

Cyber crime has a devastating economic impact on society and at the individual company level can cause reputation and punitive damage from which an organization might never recover. OIG is a vital information safeguard. It exists to protect sensitive data and information from the ever-evolving landscape of security threats. Regardless of the position that a company takes on the extent or viability of such threats, a strong OIG implementation helps to mitigate the risks of cyber crimes.

What's coming next?

Future blogs in this series will discuss in greater depth how the Oracle Identity Management solutions can prevent your organization from being the next front-page exploit.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Wednesday Dec 11, 2013

Facilitating Secure BYOD: Deep Dive - Simeio Solutions

In our first post, we explored BYOD, its imminent challenges and tool sets which one can employ to overcome these hurdles. The second post gave you peek into Mobile Device Management (MDM) and the set of problems it alleviates.

In this post, I will briefly introduce you to a relatively lesser know Mobile Security term known as 'App Containerization'. Then we will continue to explore the Oracle Access Mobile and Social product offerings. This time, the emphasis would be on 'How' OAMMS facilitates a secure mobile experience and help you gain insight into what really happens behind the scenes.

Mobile Application Containerization: What does it really mean?
As the name clearly indicates, it is a mobile 'application' level security mechanism as opposed to 'device' level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. Application Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the enterprise/official business applications.

How is it different from Mobile Device Management?
Mobile Device Management (MDM), empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc. It is an indispensable tool for corporations. However, from an end user perspective, MDM brings to fore, concerns such as

Employee privacy invasion - Why should the organization have ACCESS to my personal photos, emails etc?

Employee personal data sustainability concerns - What if my company wipes out ALL of my personal data on my device in order to reduce risk for couple of corporate applications?

All that matters is to keep enterprise data secure, not to intrude user's privacy.

'Containerization' is a technique which can help organizations combine the best of both worlds. It is categorized under the 'Mobile Application Management' (MAM) domain.  This is a new generation mobile security technology which ensures tight reign over corporate data on mobile devices without being too intrusive for the end user. Personal and Containerized applications can coexist on the mobile device, but each containerized application's data stays within the confines of its own 'container'. Communication to corporate servers or other 'containerized' applications are completely 'secure'.

App Containerization Fundamentals and Strategies

  • Works on the concept of 'Sand-boxing' the application execution.
  • Provides a secure run-time container for each managed application and its data.
  • Clearly segregates personal and corporate applications and associated data irrespective of the device.

Few of the techniques which are employed for application containerization have been listed below

Application Wrapping
This strategy involves processing the application via the 'App Wrapping' tool and creating a security wrapper around it. This process does not require any additional 'coding'.

Customized Code Based Integration
Specific Software Development Kits (SDKs) can be leveraged in order to 'code' the functionalities which cannot be delivered via 'Application Wrapping', Mobile application developers can use APIs in the SDK to weave the capabilities of the mobile security platform within the applications.

Dual Persona
This is a containerization technique wherein corporate and personal applications are installed under separate areas which are abstracted as 'personas'

Encrypted Space
Applications and data may be kept within the confines of an encrypted space, or folder.

A comprehensive App Containerization strategy combined with device level protection can go a long way in providing end-to-end mobile security.

Where does Oracle come into the picture?
Through its recent acquisition of Bitzer Mobile, Oracle's rich portfolio of mobile security offerings has been further strengthened.  Oracle can help organizations with comprehensive solutions in order to manage the security of enterprise data held on employee's mobile devices.

Why Containerize Your Apps?
Containerization  improves user experience and productivity as well as ensures enterprise safety and compliance by,

  • Enabling secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other.
  • Restricting a user’s ability to access, copy, paste or edit data held within the application container.
  • Enforcing security policies that govern access to the containerized data
  • Allowing employees to switch between personal and corporate applications seamlessly, without risk of compromising company information.

Let us pick up the thread from the very first post of this series, and take a deep dive into the Oracle Access Manger Mobile and Social product offerings.

Oracle Mobile and Social Feature Set

OAMSS features can be broadly categorized into the following

Mobile Services
Mobile Services segment of the OAMMS connect mobile devices and applications to existing IDAM services and components and enables organizations to reap full benefit of its existing IAM investments
Salient features of 'Mobile Services' are as follows

Under the hood, the basic Authentication process is powered by Oracle Access Manager.  A typical use case encapsulates the following set of events

  • The user launches the mobile application on his device which the him to the Mobile SSO Agent.
  • Assuming that the device is already registered, the Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server for validation.
  • Mobile and Social Server responds with a User Token as a result of the above process and this token is further utilized by the calling mobile application to request for an Access Token.
  • After fulfillment of Access Token by the Mobile and Social server, the business mobile application can leverage this token to make calls to the resources/enterprise applications protected by Oracle Access Manager or Oracle Enterprise Gateway.

OAMMS Authentication Process

The Authorization is taken care of by Oracle Entitlements Server (OES) which is driven by policy-based configurations. OES manages authorization for mobile devices and application with the help of 'mobile device context' which is nothing but a type of 'Identity Context' attribute.

Identity Context is made up of attributes known to the multiple identity and access management components involved in a transaction and it is shared across Oracle’s identity and access management components

Single Sign On
With SSO in place, user can multiple mobile applications on the same device without having to provide credentials for each application. Mobile SSO can be leveraged by both native and browser-based applications. A mobile application installed on the mobile device needs to be designated as a mobile SSO agent in order for mobile bases SSO to work.

  • The Mobile SSO agent application acts as a mediator between the Mobile and Social server and the other applications on the device that need to authenticate with the back end identity services.
  • It orchestrates and manages device registration, risk based authentication.
  • Ensures that the user credentials are never exposed to the mobile business application.
  • It can time-out idle sessions, manage global logout for all applications, and help in selective device wipe outs.

Device Registration
Oracle Adaptive Access Manager (OAAM) policies are executed by the OAAM Mobile Security Handler Plug-in.

  • The OAAM Security Handler Plug-in creates two security handles
    • oaam.device handle, which represents the mobile device
    • oaam.session handle, which represents an OAAM login session for a client application
  • The above mentioned 'handles' drive the 'device registration' process
  • OAAM policies can be configures to force device registration process to require Knowledge Based Authentication (KBA) or One Time Password (OTP)

Oracle Mobile and Social leverages adaptive security measures such as OTP by delegating to specialized components such as Oracle Adaptive Access Manager (OAAM)

Lost or Stolen Device Management
The Mobile and Social service works hand in hand with OAAM and counters these risks by providing a way to tag a device as lost or stolen and then implement policies that are designed to be invoked when a compromised device tries to gain access to sensitive resources via the mobile applications.

  • If the device has been reported lost or stolen, OAAM can be configured to challenge a user before providing access to the mobile applications and its associated data.
  • OAAM policies can also be designed to wipe out the device data if the device attempts to communicate with the Mobile and Social server after being reported lost or stolen.
  • OAAM policies can be configured to protect against 'Jailbroken' devices and wipe out the data. Mobile and Social service needs to be configured with jailbreak detection on.
Internet Identity Services
Internet Identity Services allow Oracle Mobile and Social to act as a relying party and leverages authentication and authorization services from cloud providers. Mobile applications can consume Social Identities securely and customers to federate easily with social networking sites

These services benefit the end users as well as the developers

User centric - The users are presented with convenient multiple log-in options and can use their existing credentials from cloud-based identity services to log in to mobile applications.

Rich OOTB support - Currently, OAMMS supports major Social Identity Providers such as Facebook, Google, LinkedIn, Twitter, Yahoo, Foursquare and Windows Live

Extensible - Developers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment.

Oracle Mobile and Social services can be easily extended to support other service providers, thanks to its flexible architecture based on 'Open' standards such as OAuth and OpenID

End to end flow wherein Identity Services are used in conjunction with OAM (for authentication)
  • A protected application is accessed by the user which in turn is intercepted the WebGate.
  • The Mobile and Social server presents a login page to the user after OAM analyses the authentication policies applicable to the resource.
  • The login page presents a menu of Social Identity Providers (e.g. Facebook) and the user is redirected to the login page for the selected Social Identity Provider
  • The user types a user name and password into the Social Identity Provider's login page which is validated by the Identity Provider redirects the control back to the Mobile and Social server.
  • The Mobile and Social server further processes the Identity assertions supplied by the Identity Provider and after retrieving user identity information, redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes.
  • Access Manager creates a user session and redirects the user to the protected resource

User Profile Services
User Profile Services allows mobile applications to perform a variety of LDAP compliant directory server tasks.

  • Directory administrative tools can be created wherein an authorized administrator can invoke CRUD operations on users and groups, manage passwords and entities like managers etc.
  • Corporate or community white pages are another common application using User Profile services.
  • These services are inherently secure and protected by either an OAM token or a JSON Web Token (JWT), and they can also require device and application registration
  • OOTB support for seamless integration with popular LDAP compliant directory servers such as Oracle Directory Server, Oracle Internet Directory, Oracle Virtual Directory, Active Directory etc

SDKs help developers embed identity security features into mobile applications and promote usage of existing identity infrastructure services.

  • They promote ease of development of mobile applications by serving as a security layer and driving features like authentication, authorization, user profile services and secure storage.
  • The SDKs also serve as an 'abstraction layer' which allows system administrators to add, modify, and remove identity and access management services without having to update mobile applications installed by the user.
  • OAMMS provides dedicated APIs for each of its feature categories, namely, Mobile, Internet Identity and User Profile services

Oracle Mobile and Social Services provides separate client software development kits (SDKs) for Apple’s iOS and Google’s Android.

The SDK functionalities are segregated into four distinct modules

  • Authentication Module - Processes authentication requests on behalf of users, devices, and applications.
  • User Role Module - Provides User Profile Services that allow users and applications to get User and Group details from a configured Identity store.
  • REST Handler Module - Provides access to REST web services and automatic injection of tokens for Access Manager protected REST web services.
  • Cryptography Module - Provides simplified APIs to perform cryptography tasks like hashing, encryption, and decryption.
  • Secure Storage Module - Provides APIs to store and retrieve sensitive data using the preferences storage of Android.

Generic REST API
Oracle Mobile and Social Services exposes its functionality through a consistent REST interface thus enabling any device capable of HTTP communication to send REST calls to the Mobile and Social server. These can be leveraged when it is not possible for to utilize the SDKs directly for communicating with the Mobile And Social backend components.

API Security
Oracle API Gateway (OAG) acts as a filtration layer for inbound for REST calls into the Mobile and Social server. It integrates seamlessly with OAM and OES to provide authentication and access control.

In the Mobile and Social solution context, OAG provides services such as

  • Validating JSON Web Tokens (JWT) embedded within REST calls
  • Mapping of XML to JSON for consumption by mobile devices
  • Validation of HTTP parameters, REST query and POST parameters, XML and JSON schemas
  • Protection against Denial of Service (DoS), SQL injection, and cross-site scripting attacks.
  • Auditing and logging web API usage tracking for each mobile client.

OAG and OES leverage their individual capabilities to provide context-aware authorization of mobile business transactions, authorization for REST APIs, and selective data redaction in the response payload.
Sequence of steps involved in OES powered authorization and 'redaction' process

  • A mobile application request which is intercepted  by OAG delegates authentication to OAM.
  • OAG leverages an integration adapter called OES Java Security Service Module (SSM). to interact with OES to authorize the request.
  • After successful authentication and authorization, the user  is granted access to requested resource (business application).
  • Further authorization is driven by OES based on configured policies and it might end up in 'redaction' of some confidential information from the response.
  • OES thus provides the 'redacted' response to OAG which further propagates it back to the requester

OAG and OES working in tandem

I hope you have gained a fair idea of the challenges which enterprise mobility requirements poses and the various options which Oracle FMW product suite has to offer to modern day organizations to empower and enable to them overcome these hurdles and successfully mobilize their workforce. Customers who are already utilizing products such as Oracle Access Manager and Adaptive Access Manager can easily leverage Oracle Mobile and Social to extend the same security capabilities to mobile applications.  Our final post will introduce you to the nuances of Mobile Device Management (MDM) for facilitating secure BYOD programme in the 'Cloud'.

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.

Wednesday Jun 26, 2013

Taking the Plunge - or Dipping Your Toe - into the Fluffy IAM Cloud by Paul Dhanjal (Simeio Solutions)

In our last three posts, we’ve examined the revolution that’s occurring today in identity and access management (IAM). We looked at the business drivers behind the growth of cloud-based IAM, the shortcomings of the old, last-century IAM models, and the new opportunities that federation, identity hubs and other new cloud capabilities can provide by changing the way you interact with everyone who does business with you.

In this, our final post in the series, we’ll cover the key things you, the enterprise architect, should keep in mind when considering moving IAM to the cloud.

Invariably, what starts the consideration process is a burning business need: a compliance requirement, security vulnerability or belt-tightening edict. Many on the business side view IAM as the “silver bullet” – and for good reason. You can almost always devise a solution using some aspect of IAM.

The most critical question to ask first when using IAM to address the business need is, simply: is my solution complete? Typically, “business” is not focused on the big picture. Understandably, they’re focused instead on the need at hand: Can we be HIPAA compliant in 6 months? Can we tighten our new hire, employee transfer and termination processes? What can we do to prevent another password breach? Can we reduce our service center costs by the end of next quarter?

The business may not be focused on the complete set of services offered by IAM but rather a single aspect or two. But it is the job – indeed the duty – of the enterprise architect to ensure that all aspects are being met. It’s like remodeling a house but failing to consider the impact on the foundation, the furnace or the zoning or setback requirements. While the homeowners may not be thinking of such things, the architect, of course, must.

At Simeio Solutions, the way we ensure that all aspects are being taken into account – to expose any gaps or weaknesses – is to assess our client’s IAM capabilities against a five-step maturity model ranging from “ad hoc” to “optimized.” The model we use is similar to Capability Maturity Model Integration (CMMI) developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. It’s based upon some simple criteria, which can provide a visual representation of how well our clients fair when evaluated against four core categories:

·         Program Governance

·         Access Management (e.g., Single Sign-On)

·         Identity and Access Governance (e.g., Identity Intelligence)

·         Enterprise Security (e.g., DLP and SIEM)

Often our clients believe they have a solution with all the bases covered, but the model exposes the gaps or weaknesses. The gaps are ideal opportunities for the cloud to enter into the conversation.

The complete process is straightforward:

1.    Look at the big picture, not just the immediate need – what is our roadmap and how does this solution fit?

2.    Determine where you stand with respect to the four core areas – what are the gaps?

3.    Decide how to cover the gaps – what role can the cloud play?

Returning to our home remodeling analogy, at some point, if gaps or weaknesses are discovered when evaluating the complete impact of the proposed remodel – if the existing foundation wouldn’t support the new addition, for example – the owners need to decide if it’s time to move to a new house instead of trying to remodel the old one.

However, with IAM it’s not an either-or proposition – i.e., either move to the cloud or fix the existing infrastructure. It’s possible to use new cloud technologies just to cover the gaps.

Many of our clients start their migration to the cloud this way, dipping in their toe instead of taking the plunge all at once. Because our cloud services offering is based on the Oracle Identity and Access Management Suite, we can offer a tremendous amount of flexibility in this regard. The Oracle platform is not a collection of point solutions, but rather a complete, integrated, best-of-breed suite. Yet it’s not an all-or-nothing proposition. You can choose just the features and capabilities you need using a pay-as-you-go model, incrementally turning on and off services as needed. Better still, all the other capabilities are there, at the ready, whenever you need them.

Spooling up these cloud-only services takes just a fraction of the time it would take a typical organization to deploy internally. SLAs in the cloud may be higher than on premise, too. And by using a suite of software that’s complete and integrated, you can dramatically lower cost and complexity.

If your in-house solution cannot be migrated to the cloud, you might consider using hardware appliances such as Simeio’s Cloud Interceptor to extend your enterprise out into the network. You might also consider using Expert Managed Services. Cost is usually the key factor – not just development costs but also operational sustainment costs. Talent or resourcing issues often come into play when thinking about sustaining a program. Expert Managed Services such as those we offer at Simeio can address those concerns head on.

In a cloud offering, identity and access services lend to the new paradigms described in my previous posts. Most importantly, it allows us all to focus on what we're meant to do – provide value, lower costs and increase security to our respective organizations. It’s that magic “silver bullet” that business knew you had all along.

If you’d like to talk more, you can find us at simeiosolutions.com.

Wednesday Jun 19, 2013

Identity in an Interconnected World: by Paul Dhanjal (Simeio Solutions)

In today’s interconnected world, we’re being forced to re-think what identity means and to adopt entirely new models for managing it. One thing’s for sure: it’s no longer confined to inside the walls of the enterprise. The lines between internal and external data ownership are blurring. In this, our third post in the series, we’ll delve a bit deeper into what these external identities look like to help us understand the implications for IT.

Let’s start by reviewing the old model. Traditionally, all identity data was internal – each application or service stored and managed all the user information it needed – completely self contained.

But “self-contained” is really just a nice way of saying “silo.” We encounter these identity silos all the time. A large corporation may have dozens, the result of mergers and acquisitions or through the independent initiatives of multiple lines of business. We see it among business partners in value chains – retail partners, ISVs, distributors, etc. We see it in government where various departments – DMV, tax collector, police department, social services, etc. – all separately collect and manage overlapping data on the same set of users.

For companies, these identity silos are costly to build and maintain – the duplication of capabilities and data is highly inefficient, and synchronizing changes across silos is difficult or impossible. They limit visibility and insight. It’s difficult to recognize an individual customer across services, for example – what looks like 10 different users is often the same person.

New cloud-based identity and access management (IAM) models have emerged to address these issues, powered in large part by two key technologies: virtual directories and identity hubs.

Virtual directories, such as Oracle Virtual Directory (OVD), are designed to provide a single, centralized authentication point for multiple services. They unify multiple directories, providing a real-time consolidated view of a person’s identity record regardless of where it’s stored. Because they typically come with adapters for most major directories and databases including those from Oracle, Sun, IBM, Microsoft and Novell, they can be remarkably easy to deploy.

The actual user accounts are still decentralized – created and maintained in the original authentication sources, not in the virtual directory. But to an application or service that’s part of the network, it appears that there’s one centralized source for authentication, removing a ton of complexity from the application, breaking down silos, and allowing you to recognize an individual across all your services.

The identity hub completes the picture. It serves as a broker between the application and the various authoritative sources of identity attributes in both enterprise and federated scenarios. It provides a single authoritative view of user data in what is generally a decentralized environment where user data is scattered among multiple repositories.

More importantly, that view changes depending on who is accessing it. Each application (or business unit, department, division, or customer) has a view that’s limited to only the information that’s deemed appropriate. That’s determined by the owner of the information, which can be another division within the same company, an external partner, or even an individual customer.


By combining the identity hub with a governance framework for identity federation via the cloud, you can easily share these views with partners who provide services, while ensuring the appropriate (and only the appropriate) information is securely delivered to each service provider by you, the identity provider. Simeio’s Cloud Services, for example, uses Oracle Access Manager 11g R2 to gather the requested attributes within the identity hub and build an encrypted claim in a form tailored for the consuming service.

Once you or your partners can access this information on demand, it may no longer be necessary to own or even store any portion of a user’s identity – certainly not their password, which would instantly get you out of the business of password management, including support desks and reset mechanisms.
In this new model, identity is no longer something isolated in individual applications and maintained in a single organization. Information becomes fluid, on-demand, real-time, relevant to business units, and – most important – transportable to other businesses or clients, which reduces complexity and speed to market, and opens the door to entirely new business models and revenue streams. We’ll have more on this in our fourth and final chapter.

Wednesday Jun 12, 2013

Abandoning our "Last Century" IAM Models by Paul Dhanjal (Simeio Solutions)

In our previous blog, we looked at the business drivers behind the growth of cloud-based Identity and Access Management (IAM). These drivers, combined with cultural and technology trends, have made cloud-based IAM more attractive – and, frankly, more necessary – than ever.

Now that business has evolved to offer more and more interconnected and interdependent services to a wider range of users, the old models we had relied on to manage identities no longer apply. Our old identity management and security models designed for internal users simply can’t keep up with the rapidly evolving landscape. The forces that are shaping this new reality are so powerful, their momentum so great, that they now dictate the terms of how identity must be managed within an organization. The balance of power has shifted away from the IT organization and into the hands of end-users. If you are to meet their expectations, if you hope to compete and remain relevant, you must make the transition from build-your-own IAM to out-of-the-box IAM, from customization to configuration.

While there may be a big stick pushing us to make this transition, the carrots are equally compelling: lower costs, faster time to market, enhanced security, greater flexibility and, perhaps most important, the freedom to focus on the value and quality of the services you provide instead of how they’re provided.

There may be no better example of this than bring-your-own-device (BYOD). For years, IT laid down the law to prevent it. Now, fueled by the consumerization of mobile devices and tablets, BYOD has become the rule rather than the exception. It was inevitable. BYOD not only reduces strain on the organization to purchase and support such devices, it also increases employee satisfaction and productivity.

But, of course, the concerns behind the original reticence to allow BYOD remain. In fact, those concerns are magnified now that we’ve moved from uniform desktops tethered to the office to diverse mobile devices that can literally be taken – and lost  – anywhere in the world.

Here’s where out-of-the-box solutions such as Oracle Access Management Suite come to the rescue. They’re designed to enable centralized policy management for securing access to services via mobile applications, going beyond web single sign-on, authentication and authorization. Such solutions are designed from the ground up to handle the added complexity of password management and security in a mobile world, including strong authentication, real-time behavioral profiling, and device fingerprinting. Adaptive products such as those from Oracle provide a multi-faceted approach to mitigate breaches into mobile and Web Applications, all while tying into a closed loop audit process with powerful reporting and notification engines.

Another example is the growing need to manage external identities – those of partners or customers. It may be tempting to use existing capabilities designed for internal identities for this. After all, the same basic services are involved, including handling access requests, granting access, and password management. But the differences are simply too great. There are different business needs, different security concerns, different compliance requirements, even different licensing issues.

Here, too, the new cloud-based IAM models offer us a solution. Their multi-tenancy capabilities mean a single instance of software can serve multiple constituencies discretely by virtually partitioning the management of identities based on any criteria or business need.

As they say on those late night infomercials, that’s not all. The cloud model and its converging standards open the door to entirely new ways of dealing with external identities. For example, products such as Oracle Access Manager allow users to register for a site's services using their social login IDs as an authentication mechanism (using OAuth and OpenID standards). This gets the organization out of the business of managing these external identities altogether, delegating password management, user profile, account settings, etc. to a third party – Google or Facebook, for example. 

If you’re not willing to delegate these tasks, you can still leverage external identities during registration by pulling the user’s basic identity information from a trusted third-party identity provider (IDP). This approach marries the old with the new, maintaining a security perimeter for user access by ensuring audit and closed-loop certification processes are still in place, while reducing the burden on the user who no longer has to provide basic information in order to register.

Delegation is a recurring theme in new IAM models. Cloud-based IAM, for example, makes it easy to push out user administration, certification and operational request management to individual lines of business. This in turn enables you to downsize centralized call support by using delegated authorities within those business units – managers who are closer (both conceptually and physically) to the users who require access. This is done via strong workflow management, which ties into a well-governed and managed role service as well as enterprise roles and processes for mover/joiner/leaver scenarios.

Case in point: the HR systems the US government uses to provision all roles (for resources and entitlements). Users request access directly from their managers. End-dates are used to enforce de-provisioning of all granted access, even during termination. The result is end-to-end lifecycle management with delegated administration, while ensuring compliance with a centralized audit process.

In our next post, we’ll explore what identity looks like in a secure, connected world and what that means for your business.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« December 2015