Wednesday Dec 11, 2013

Facilitating Secure BYOD: Deep Dive - Simeio Solutions

In our first post, we explored BYOD, its imminent challenges and tool sets which one can employ to overcome these hurdles. The second post gave you peek into Mobile Device Management (MDM) and the set of problems it alleviates.

In this post, I will briefly introduce you to a relatively lesser know Mobile Security term known as 'App Containerization'. Then we will continue to explore the Oracle Access Mobile and Social product offerings. This time, the emphasis would be on 'How' OAMMS facilitates a secure mobile experience and help you gain insight into what really happens behind the scenes.

Mobile Application Containerization: What does it really mean?
As the name clearly indicates, it is a mobile 'application' level security mechanism as opposed to 'device' level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. Application Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the enterprise/official business applications.

How is it different from Mobile Device Management?
Mobile Device Management (MDM), empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc. It is an indispensable tool for corporations. However, from an end user perspective, MDM brings to fore, concerns such as

Employee privacy invasion - Why should the organization have ACCESS to my personal photos, emails etc?

Employee personal data sustainability concerns - What if my company wipes out ALL of my personal data on my device in order to reduce risk for couple of corporate applications?

All that matters is to keep enterprise data secure, not to intrude user's privacy.

'Containerization' is a technique which can help organizations combine the best of both worlds. It is categorized under the 'Mobile Application Management' (MAM) domain.  This is a new generation mobile security technology which ensures tight reign over corporate data on mobile devices without being too intrusive for the end user. Personal and Containerized applications can coexist on the mobile device, but each containerized application's data stays within the confines of its own 'container'. Communication to corporate servers or other 'containerized' applications are completely 'secure'.

App Containerization Fundamentals and Strategies

  • Works on the concept of 'Sand-boxing' the application execution.
  • Provides a secure run-time container for each managed application and its data.
  • Clearly segregates personal and corporate applications and associated data irrespective of the device.

Few of the techniques which are employed for application containerization have been listed below

Application Wrapping
This strategy involves processing the application via the 'App Wrapping' tool and creating a security wrapper around it. This process does not require any additional 'coding'.

Customized Code Based Integration
Specific Software Development Kits (SDKs) can be leveraged in order to 'code' the functionalities which cannot be delivered via 'Application Wrapping', Mobile application developers can use APIs in the SDK to weave the capabilities of the mobile security platform within the applications.

Dual Persona
This is a containerization technique wherein corporate and personal applications are installed under separate areas which are abstracted as 'personas'

Encrypted Space
Applications and data may be kept within the confines of an encrypted space, or folder.

A comprehensive App Containerization strategy combined with device level protection can go a long way in providing end-to-end mobile security.

Where does Oracle come into the picture?
Through its recent acquisition of Bitzer Mobile, Oracle's rich portfolio of mobile security offerings has been further strengthened.  Oracle can help organizations with comprehensive solutions in order to manage the security of enterprise data held on employee's mobile devices.

Why Containerize Your Apps?
Containerization  improves user experience and productivity as well as ensures enterprise safety and compliance by,

  • Enabling secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other.
  • Restricting a user’s ability to access, copy, paste or edit data held within the application container.
  • Enforcing security policies that govern access to the containerized data
  • Allowing employees to switch between personal and corporate applications seamlessly, without risk of compromising company information.


Let us pick up the thread from the very first post of this series, and take a deep dive into the Oracle Access Manger Mobile and Social product offerings.

Oracle Mobile and Social Feature Set

OAMSS features can be broadly categorized into the following

Mobile Services
Mobile Services segment of the OAMMS connect mobile devices and applications to existing IDAM services and components and enables organizations to reap full benefit of its existing IAM investments
Salient features of 'Mobile Services' are as follows

Authentication
Under the hood, the basic Authentication process is powered by Oracle Access Manager.  A typical use case encapsulates the following set of events

  • The user launches the mobile application on his device which the him to the Mobile SSO Agent.
  • Assuming that the device is already registered, the Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server for validation.
  • Mobile and Social Server responds with a User Token as a result of the above process and this token is further utilized by the calling mobile application to request for an Access Token.
  • After fulfillment of Access Token by the Mobile and Social server, the business mobile application can leverage this token to make calls to the resources/enterprise applications protected by Oracle Access Manager or Oracle Enterprise Gateway.


OAMMS Authentication Process

Authorization
The Authorization is taken care of by Oracle Entitlements Server (OES) which is driven by policy-based configurations. OES manages authorization for mobile devices and application with the help of 'mobile device context' which is nothing but a type of 'Identity Context' attribute.

Identity Context is made up of attributes known to the multiple identity and access management components involved in a transaction and it is shared across Oracle’s identity and access management components

Single Sign On
With SSO in place, user can multiple mobile applications on the same device without having to provide credentials for each application. Mobile SSO can be leveraged by both native and browser-based applications. A mobile application installed on the mobile device needs to be designated as a mobile SSO agent in order for mobile bases SSO to work.

  • The Mobile SSO agent application acts as a mediator between the Mobile and Social server and the other applications on the device that need to authenticate with the back end identity services.
  • It orchestrates and manages device registration, risk based authentication.
  • Ensures that the user credentials are never exposed to the mobile business application.
  • It can time-out idle sessions, manage global logout for all applications, and help in selective device wipe outs.

Device Registration
Oracle Adaptive Access Manager (OAAM) policies are executed by the OAAM Mobile Security Handler Plug-in.

  • The OAAM Security Handler Plug-in creates two security handles
    • oaam.device handle, which represents the mobile device
    • oaam.session handle, which represents an OAAM login session for a client application
  • The above mentioned 'handles' drive the 'device registration' process
  • OAAM policies can be configures to force device registration process to require Knowledge Based Authentication (KBA) or One Time Password (OTP)

Oracle Mobile and Social leverages adaptive security measures such as OTP by delegating to specialized components such as Oracle Adaptive Access Manager (OAAM)

Lost or Stolen Device Management
The Mobile and Social service works hand in hand with OAAM and counters these risks by providing a way to tag a device as lost or stolen and then implement policies that are designed to be invoked when a compromised device tries to gain access to sensitive resources via the mobile applications.

  • If the device has been reported lost or stolen, OAAM can be configured to challenge a user before providing access to the mobile applications and its associated data.
  • OAAM policies can also be designed to wipe out the device data if the device attempts to communicate with the Mobile and Social server after being reported lost or stolen.
  • OAAM policies can be configured to protect against 'Jailbroken' devices and wipe out the data. Mobile and Social service needs to be configured with jailbreak detection on.
Internet Identity Services
Internet Identity Services allow Oracle Mobile and Social to act as a relying party and leverages authentication and authorization services from cloud providers. Mobile applications can consume Social Identities securely and customers to federate easily with social networking sites

These services benefit the end users as well as the developers

User centric - The users are presented with convenient multiple log-in options and can use their existing credentials from cloud-based identity services to log in to mobile applications.

Rich OOTB support - Currently, OAMMS supports major Social Identity Providers such as Facebook, Google, LinkedIn, Twitter, Yahoo, Foursquare and Windows Live

Extensible - Developers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment.



Oracle Mobile and Social services can be easily extended to support other service providers, thanks to its flexible architecture based on 'Open' standards such as OAuth and OpenID

End to end flow wherein Identity Services are used in conjunction with OAM (for authentication)
  • A protected application is accessed by the user which in turn is intercepted the WebGate.
  • The Mobile and Social server presents a login page to the user after OAM analyses the authentication policies applicable to the resource.
  • The login page presents a menu of Social Identity Providers (e.g. Facebook) and the user is redirected to the login page for the selected Social Identity Provider
  • The user types a user name and password into the Social Identity Provider's login page which is validated by the Identity Provider redirects the control back to the Mobile and Social server.
  • The Mobile and Social server further processes the Identity assertions supplied by the Identity Provider and after retrieving user identity information, redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes.
  • Access Manager creates a user session and redirects the user to the protected resource


User Profile Services
User Profile Services allows mobile applications to perform a variety of LDAP compliant directory server tasks.

  • Directory administrative tools can be created wherein an authorized administrator can invoke CRUD operations on users and groups, manage passwords and entities like managers etc.
  • Corporate or community white pages are another common application using User Profile services.
  • These services are inherently secure and protected by either an OAM token or a JSON Web Token (JWT), and they can also require device and application registration
  • OOTB support for seamless integration with popular LDAP compliant directory servers such as Oracle Directory Server, Oracle Internet Directory, Oracle Virtual Directory, Active Directory etc

SDKs and REST APIs
SDKs help developers embed identity security features into mobile applications and promote usage of existing identity infrastructure services.

  • They promote ease of development of mobile applications by serving as a security layer and driving features like authentication, authorization, user profile services and secure storage.
  • The SDKs also serve as an 'abstraction layer' which allows system administrators to add, modify, and remove identity and access management services without having to update mobile applications installed by the user.
  • OAMMS provides dedicated APIs for each of its feature categories, namely, Mobile, Internet Identity and User Profile services

Oracle Mobile and Social Services provides separate client software development kits (SDKs) for Apple’s iOS and Google’s Android.

The SDK functionalities are segregated into four distinct modules

  • Authentication Module - Processes authentication requests on behalf of users, devices, and applications.
  • User Role Module - Provides User Profile Services that allow users and applications to get User and Group details from a configured Identity store.
  • REST Handler Module - Provides access to REST web services and automatic injection of tokens for Access Manager protected REST web services.
  • Cryptography Module - Provides simplified APIs to perform cryptography tasks like hashing, encryption, and decryption.
  • Secure Storage Module - Provides APIs to store and retrieve sensitive data using the preferences storage of Android.


Generic REST API
Oracle Mobile and Social Services exposes its functionality through a consistent REST interface thus enabling any device capable of HTTP communication to send REST calls to the Mobile and Social server. These can be leveraged when it is not possible for to utilize the SDKs directly for communicating with the Mobile And Social backend components.

API Security
Oracle API Gateway (OAG) acts as a filtration layer for inbound for REST calls into the Mobile and Social server. It integrates seamlessly with OAM and OES to provide authentication and access control.

In the Mobile and Social solution context, OAG provides services such as

  • Validating JSON Web Tokens (JWT) embedded within REST calls
  • Mapping of XML to JSON for consumption by mobile devices
  • Validation of HTTP parameters, REST query and POST parameters, XML and JSON schemas
  • Protection against Denial of Service (DoS), SQL injection, and cross-site scripting attacks.
  • Auditing and logging web API usage tracking for each mobile client.

OAG and OES leverage their individual capabilities to provide context-aware authorization of mobile business transactions, authorization for REST APIs, and selective data redaction in the response payload.
Sequence of steps involved in OES powered authorization and 'redaction' process

  • A mobile application request which is intercepted  by OAG delegates authentication to OAM.
  • OAG leverages an integration adapter called OES Java Security Service Module (SSM). to interact with OES to authorize the request.
  • After successful authentication and authorization, the user  is granted access to requested resource (business application).
  • Further authorization is driven by OES based on configured policies and it might end up in 'redaction' of some confidential information from the response.
  • OES thus provides the 'redacted' response to OAG which further propagates it back to the requester

OAG and OES working in tandem

Conclusion
I hope you have gained a fair idea of the challenges which enterprise mobility requirements poses and the various options which Oracle FMW product suite has to offer to modern day organizations to empower and enable to them overcome these hurdles and successfully mobilize their workforce. Customers who are already utilizing products such as Oracle Access Manager and Adaptive Access Manager can easily leverage Oracle Mobile and Social to extend the same security capabilities to mobile applications.  Our final post will introduce you to the nuances of Mobile Device Management (MDM) for facilitating secure BYOD programme in the 'Cloud'.

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.


Wednesday Jun 26, 2013

Taking the Plunge - or Dipping Your Toe - into the Fluffy IAM Cloud by Paul Dhanjal (Simeio Solutions)

In our last three posts, we’ve examined the revolution that’s occurring today in identity and access management (IAM). We looked at the business drivers behind the growth of cloud-based IAM, the shortcomings of the old, last-century IAM models, and the new opportunities that federation, identity hubs and other new cloud capabilities can provide by changing the way you interact with everyone who does business with you.

In this, our final post in the series, we’ll cover the key things you, the enterprise architect, should keep in mind when considering moving IAM to the cloud.

Invariably, what starts the consideration process is a burning business need: a compliance requirement, security vulnerability or belt-tightening edict. Many on the business side view IAM as the “silver bullet” – and for good reason. You can almost always devise a solution using some aspect of IAM.

The most critical question to ask first when using IAM to address the business need is, simply: is my solution complete? Typically, “business” is not focused on the big picture. Understandably, they’re focused instead on the need at hand: Can we be HIPAA compliant in 6 months? Can we tighten our new hire, employee transfer and termination processes? What can we do to prevent another password breach? Can we reduce our service center costs by the end of next quarter?

The business may not be focused on the complete set of services offered by IAM but rather a single aspect or two. But it is the job – indeed the duty – of the enterprise architect to ensure that all aspects are being met. It’s like remodeling a house but failing to consider the impact on the foundation, the furnace or the zoning or setback requirements. While the homeowners may not be thinking of such things, the architect, of course, must.

At Simeio Solutions, the way we ensure that all aspects are being taken into account – to expose any gaps or weaknesses – is to assess our client’s IAM capabilities against a five-step maturity model ranging from “ad hoc” to “optimized.” The model we use is similar to Capability Maturity Model Integration (CMMI) developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. It’s based upon some simple criteria, which can provide a visual representation of how well our clients fair when evaluated against four core categories:

·         Program Governance

·         Access Management (e.g., Single Sign-On)

·         Identity and Access Governance (e.g., Identity Intelligence)

·         Enterprise Security (e.g., DLP and SIEM)

Often our clients believe they have a solution with all the bases covered, but the model exposes the gaps or weaknesses. The gaps are ideal opportunities for the cloud to enter into the conversation.

The complete process is straightforward:

1.    Look at the big picture, not just the immediate need – what is our roadmap and how does this solution fit?

2.    Determine where you stand with respect to the four core areas – what are the gaps?

3.    Decide how to cover the gaps – what role can the cloud play?

Returning to our home remodeling analogy, at some point, if gaps or weaknesses are discovered when evaluating the complete impact of the proposed remodel – if the existing foundation wouldn’t support the new addition, for example – the owners need to decide if it’s time to move to a new house instead of trying to remodel the old one.

However, with IAM it’s not an either-or proposition – i.e., either move to the cloud or fix the existing infrastructure. It’s possible to use new cloud technologies just to cover the gaps.

Many of our clients start their migration to the cloud this way, dipping in their toe instead of taking the plunge all at once. Because our cloud services offering is based on the Oracle Identity and Access Management Suite, we can offer a tremendous amount of flexibility in this regard. The Oracle platform is not a collection of point solutions, but rather a complete, integrated, best-of-breed suite. Yet it’s not an all-or-nothing proposition. You can choose just the features and capabilities you need using a pay-as-you-go model, incrementally turning on and off services as needed. Better still, all the other capabilities are there, at the ready, whenever you need them.

Spooling up these cloud-only services takes just a fraction of the time it would take a typical organization to deploy internally. SLAs in the cloud may be higher than on premise, too. And by using a suite of software that’s complete and integrated, you can dramatically lower cost and complexity.

If your in-house solution cannot be migrated to the cloud, you might consider using hardware appliances such as Simeio’s Cloud Interceptor to extend your enterprise out into the network. You might also consider using Expert Managed Services. Cost is usually the key factor – not just development costs but also operational sustainment costs. Talent or resourcing issues often come into play when thinking about sustaining a program. Expert Managed Services such as those we offer at Simeio can address those concerns head on.

In a cloud offering, identity and access services lend to the new paradigms described in my previous posts. Most importantly, it allows us all to focus on what we're meant to do – provide value, lower costs and increase security to our respective organizations. It’s that magic “silver bullet” that business knew you had all along.

If you’d like to talk more, you can find us at simeiosolutions.com.

Wednesday Jun 19, 2013

Identity in an Interconnected World: by Paul Dhanjal (Simeio Solutions)

In today’s interconnected world, we’re being forced to re-think what identity means and to adopt entirely new models for managing it. One thing’s for sure: it’s no longer confined to inside the walls of the enterprise. The lines between internal and external data ownership are blurring. In this, our third post in the series, we’ll delve a bit deeper into what these external identities look like to help us understand the implications for IT.

Let’s start by reviewing the old model. Traditionally, all identity data was internal – each application or service stored and managed all the user information it needed – completely self contained.

But “self-contained” is really just a nice way of saying “silo.” We encounter these identity silos all the time. A large corporation may have dozens, the result of mergers and acquisitions or through the independent initiatives of multiple lines of business. We see it among business partners in value chains – retail partners, ISVs, distributors, etc. We see it in government where various departments – DMV, tax collector, police department, social services, etc. – all separately collect and manage overlapping data on the same set of users.

For companies, these identity silos are costly to build and maintain – the duplication of capabilities and data is highly inefficient, and synchronizing changes across silos is difficult or impossible. They limit visibility and insight. It’s difficult to recognize an individual customer across services, for example – what looks like 10 different users is often the same person.

New cloud-based identity and access management (IAM) models have emerged to address these issues, powered in large part by two key technologies: virtual directories and identity hubs.

Virtual directories, such as Oracle Virtual Directory (OVD), are designed to provide a single, centralized authentication point for multiple services. They unify multiple directories, providing a real-time consolidated view of a person’s identity record regardless of where it’s stored. Because they typically come with adapters for most major directories and databases including those from Oracle, Sun, IBM, Microsoft and Novell, they can be remarkably easy to deploy.

The actual user accounts are still decentralized – created and maintained in the original authentication sources, not in the virtual directory. But to an application or service that’s part of the network, it appears that there’s one centralized source for authentication, removing a ton of complexity from the application, breaking down silos, and allowing you to recognize an individual across all your services.

The identity hub completes the picture. It serves as a broker between the application and the various authoritative sources of identity attributes in both enterprise and federated scenarios. It provides a single authoritative view of user data in what is generally a decentralized environment where user data is scattered among multiple repositories.

More importantly, that view changes depending on who is accessing it. Each application (or business unit, department, division, or customer) has a view that’s limited to only the information that’s deemed appropriate. That’s determined by the owner of the information, which can be another division within the same company, an external partner, or even an individual customer.

 

By combining the identity hub with a governance framework for identity federation via the cloud, you can easily share these views with partners who provide services, while ensuring the appropriate (and only the appropriate) information is securely delivered to each service provider by you, the identity provider. Simeio’s Cloud Services, for example, uses Oracle Access Manager 11g R2 to gather the requested attributes within the identity hub and build an encrypted claim in a form tailored for the consuming service.

Once you or your partners can access this information on demand, it may no longer be necessary to own or even store any portion of a user’s identity – certainly not their password, which would instantly get you out of the business of password management, including support desks and reset mechanisms.
In this new model, identity is no longer something isolated in individual applications and maintained in a single organization. Information becomes fluid, on-demand, real-time, relevant to business units, and – most important – transportable to other businesses or clients, which reduces complexity and speed to market, and opens the door to entirely new business models and revenue streams. We’ll have more on this in our fourth and final chapter.

Wednesday Jun 12, 2013

Abandoning our "Last Century" IAM Models by Paul Dhanjal (Simeio Solutions)

In our previous blog, we looked at the business drivers behind the growth of cloud-based Identity and Access Management (IAM). These drivers, combined with cultural and technology trends, have made cloud-based IAM more attractive – and, frankly, more necessary – than ever.

Now that business has evolved to offer more and more interconnected and interdependent services to a wider range of users, the old models we had relied on to manage identities no longer apply. Our old identity management and security models designed for internal users simply can’t keep up with the rapidly evolving landscape. The forces that are shaping this new reality are so powerful, their momentum so great, that they now dictate the terms of how identity must be managed within an organization. The balance of power has shifted away from the IT organization and into the hands of end-users. If you are to meet their expectations, if you hope to compete and remain relevant, you must make the transition from build-your-own IAM to out-of-the-box IAM, from customization to configuration.

While there may be a big stick pushing us to make this transition, the carrots are equally compelling: lower costs, faster time to market, enhanced security, greater flexibility and, perhaps most important, the freedom to focus on the value and quality of the services you provide instead of how they’re provided.

There may be no better example of this than bring-your-own-device (BYOD). For years, IT laid down the law to prevent it. Now, fueled by the consumerization of mobile devices and tablets, BYOD has become the rule rather than the exception. It was inevitable. BYOD not only reduces strain on the organization to purchase and support such devices, it also increases employee satisfaction and productivity.

But, of course, the concerns behind the original reticence to allow BYOD remain. In fact, those concerns are magnified now that we’ve moved from uniform desktops tethered to the office to diverse mobile devices that can literally be taken – and lost  – anywhere in the world.

Here’s where out-of-the-box solutions such as Oracle Access Management Suite come to the rescue. They’re designed to enable centralized policy management for securing access to services via mobile applications, going beyond web single sign-on, authentication and authorization. Such solutions are designed from the ground up to handle the added complexity of password management and security in a mobile world, including strong authentication, real-time behavioral profiling, and device fingerprinting. Adaptive products such as those from Oracle provide a multi-faceted approach to mitigate breaches into mobile and Web Applications, all while tying into a closed loop audit process with powerful reporting and notification engines.

Another example is the growing need to manage external identities – those of partners or customers. It may be tempting to use existing capabilities designed for internal identities for this. After all, the same basic services are involved, including handling access requests, granting access, and password management. But the differences are simply too great. There are different business needs, different security concerns, different compliance requirements, even different licensing issues.

Here, too, the new cloud-based IAM models offer us a solution. Their multi-tenancy capabilities mean a single instance of software can serve multiple constituencies discretely by virtually partitioning the management of identities based on any criteria or business need.

As they say on those late night infomercials, that’s not all. The cloud model and its converging standards open the door to entirely new ways of dealing with external identities. For example, products such as Oracle Access Manager allow users to register for a site's services using their social login IDs as an authentication mechanism (using OAuth and OpenID standards). This gets the organization out of the business of managing these external identities altogether, delegating password management, user profile, account settings, etc. to a third party – Google or Facebook, for example. 

If you’re not willing to delegate these tasks, you can still leverage external identities during registration by pulling the user’s basic identity information from a trusted third-party identity provider (IDP). This approach marries the old with the new, maintaining a security perimeter for user access by ensuring audit and closed-loop certification processes are still in place, while reducing the burden on the user who no longer has to provide basic information in order to register.

Delegation is a recurring theme in new IAM models. Cloud-based IAM, for example, makes it easy to push out user administration, certification and operational request management to individual lines of business. This in turn enables you to downsize centralized call support by using delegated authorities within those business units – managers who are closer (both conceptually and physically) to the users who require access. This is done via strong workflow management, which ties into a well-governed and managed role service as well as enterprise roles and processes for mover/joiner/leaver scenarios.

Case in point: the HR systems the US government uses to provision all roles (for resources and entitlements). Users request access directly from their managers. End-dates are used to enforce de-provisioning of all granted access, even during termination. The result is end-to-end lifecycle management with delegated administration, while ensuring compliance with a centralized audit process.

In our next post, we’ll explore what identity looks like in a secure, connected world and what that means for your business.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today