Cloud Security Perspectives and Insights

Identity as the New Perimeter - Understanding SaaS Access Management

David B. Cross
SVP SaaS Security

Our guest authors this week are Chirag Andani, Oracle SaaS Security Services, Vice President, and Atul Goyal, Oracle Identity Cloud Service, Sr Principal Product Manager.

Secure your deployment of Oracle Fusion SaaS

You might be among the thousands of Oracle application customers who are embarking on a journey of cloud transformation by rapidly adopting Oracle Fusion SaaS for HCM, ERP, Sales, CRM and Marketing business processes. Mobile devices and the cloud platform have undeniably altered the traditional network perimeter. Your IT professionals can no longer assume trust across the stack as resources are available from anywhere and from any device.

As you adopt an API-first approach to provide business value to your partners and consumers, you need to understand what threats and vulnerabilities these APIs may expose. Identity becomes the new perimeter in this business transformation.

Built in security

With an open standards identity platform powered by SCIM, OAuth and SAML, Oracle Identity Cloud Service provides built-in security for the Oracle Fusion SaaS stack and the extensions built by customers. The Identity Cloud Service ensures that the right people have the right access to the right resource in the right context at the right time across Oracle SaaS applications. This ensures governance, compliance and risk aware security for applications, while maintaining improved productivity via automation and multi-channel access. We like to call this risk aware access, where identity is the core component in managing and reducing risk (as shown in the graphic below).


In a risk aware access scenario, there are three key areas in which Oracle Identity Service (IDCS) secures your Oracle Fusion SaaS deployment:

Enables hybrid deployment and multi-channel access. You can enable integration with on-premises LDAP and active directory by federating identities from either your on-premises or other cloud providers like Azure AD using SAML 2.0. By centralizing user and entitlement management across different SaaS properties through provisioning and lifecycle workflows, you can eliminate human errors, improve productivity, and provide a single pane of glass for auditors. Additionally, you can enable multi-channel access by enabling web, bots, and mobile channels through modern authentication standards, like OAuth 2.0.

Enforces context and risk aware security. By using password-less authentication, you can reduce breaches and credential phishing. You can also use location, context, user, and device information to determine risk. You can further define adaptive policy and secure end-user and administrative access via Adaptive multi-factor authentication. And at the development layer, you can enforce API security using standards such as OAuth token policies.

Ensures governance and compliance. We always recommend that you use the available rich reporting capabilities to perform periodic reviews of user’s access and to automatically block access for high-risk users. You can easily enable and automate access and revoke process when users are on- and off-boarded via HR integration. This configuration provides a single pane of glass for users and roles across SaaS and hybrid applications.

In addition, you can define RBAC and birthright access polices to automate user provisioning into various SaaS applications and external systems. This reduces the risk of unwanted access and increases the user productivity on the day of joining. The system also helps ensure international compliance for certifications, such as PCI, GDPR, FedRAMP, through the integrated terms of use, consent management, and strong session controls functionality.

Use these principles to plan your deployment

As you move your applications to cloud, you need to take a risk aware access approach. We recommend using the following principles in your planning to ensure a successful deployment with an optimized access strategy:

  • Identity is the new perimeter with traditional perimeters becoming extinct.
  • Preventive controls are not enough: you need to constantly monitor and evaluate your risk.
  • Identity security is native to and pre-integrated with Oracle SaaS applications.
  • Oracle SaaS applications take advantage of security features built into Oracle Cloud Security platform to offer an integrated and cost-effective solution to our customers.



Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.