Sunday Mar 01, 2015

New! Establishing a Mobile Security Architecture

Excerpts from a recent publishing.

Beyond Brute Force: 3 User-Friendly Strategies for BYOD Security*

In 1825 a painter named Samuel Morse was visiting New York City to fulfill a portrait commission and received word that his wife—at home in Washington, D.C.—had fallen gravely ill. The following day, another messenger brought heartbreaking news: Morse’s wife had died from her illness. Morse rushed home as fast as nineteenth-century transit could carry him but arrived to find his wife already in her grave. This devastating series of events led Morse to dedicate the remainder of his life to finding a means of rapid communication over long distances—eventually leading to the creation of the single-line telegraph and Morse code.

In 2014 Morse’s tragic episode underscores some of the forces mobile workers are still facing today. We are working longer hours than previous generations, many of us at greater distances from those we love. Our smartphones bring us closer (expanding Morse’s vision) with the people we care about, being no more than a voice call, e-mail, text message, or Facebook wall post away. As a result, personal and work communications are intersecting, with 89 percent of employees today using personal mobile devices at work or using their work devices for personal applications.

The phenomenon of Bring Your Own Device (BYOD) to work gives employees a kind of comfort Morse never knew, but it makes CIOs and CSOs uneasy, sparking concerns about protecting corporate data and preventing unauthorized access to internal systems. These fears are not unfounded: recent statistics show that cell phone theft has created a $US30 billion black-market economy. In San Francisco alone, 50 percent of all robberies are cell phone thefts. It is not a matter of if but when a personal device with your corporate data will fall into the wrong hands.

Download and read the rest here.

Monday Feb 23, 2015

Enabling Mobile Application Management with Secure Enterprise Single Sign On

Introduction 

Oracle Mobile Security Suite (OMSS) addresses BYOD challenges by isolating corporate from personal data on consumers’ personal mobile devices without needing to lockdown the entire device. Using a technique called containerization; the Oracle Mobile Security Suite creates a Secure Workspace (SWS) in which corporate applications,email and data are stored. Only authenticated users can access the secure workspace to run applications and access data and only applications provisioned or approved by corporate IT can be installed and executed from within this secure workspace. If the device is lost or stolen, corporate IT can remotely wipe the secure workspace without affecting any personal data.

The OMSS Secure Workspace (SWS) leverages OAM infrastructure for secure authentication (or even strong authentication/risk based access in the upcoming PS3 release) and seamless single sign on to corporate resources for all containerized apps. In this blog post I'll describe how the OAM Mobile & Social (M&S) OAuth Service allows OAM to provide secure authentication and enterprise single sign on to Oracle's Mobile Secure Workspace (SWS) .

How it Works


In order for the Mobile Security Access Server (MSAS) to authenticate users against Oracle Access Manager and retrieve Oracle Access Manager and OAuth tokens for integrated single sign on, the Mobile Security Access Server (MSAS) is registered as an OAuth Client with the M&S OAuth Service. In the current PS2 release we support the Confidential Client OAuth flow only; however in the upcoming PS3 release we will support Dynamic Client Registration as well.

Confidential Client Flow - In this flow MSAS is the OAuth 2.0 Confidential Client and M&S is the OAuth Server as well as the Resource Server. MSAS uses the clientid and secret entered in the container as confidential credentials for this flow. The confidential client first obtains an JWT User Token (referred to as User Identity Assertion) using this clientid, secret and the userid and password entered by the user in the secure workspace. The confidential client then obtains an OAuth2.0 Access Token using a standard OAuth 2.0 JWT user assertion flow on behalf of the resource owner. The OAM Tokens to access 11g or 10g protected resources are then obtained using the extension OAM Credential grant type using this JWT User Token. MSAS stores the encrypted JWT UT and the OAM MT (corresponds to an OAM_ID cookie for OAM protected web resources) in an STOKEN which is returned to the secure workspace app. This allows an authenticated secure workspace app user to single sign on to OAM protected resources with the OAM MT in the STOKEN and to any OAM OAuth REST interface using the JWT UT in the STOKEN.

Dynamic Client Registration - In this authentication model, a workspace is dynamically registered with M&S through MSAS and the workspace itself obtains the JWT Client Token after successful workspace registration. Compare this to the Confidential Client Flow flow above where the workspace app uses the client credential of MSAS. The registration of the workspace basically involves app and device profile attributes to be automatically sent to the M&S OAuth Server which creates a JWT Client token based on the unique "fingerprint" specific to the app and the device of the workspace app. The rest of the flow is similar where the workspace app itself is the OAuth Client (mobile OAuth client) and M&S is the OAuth Server as well as the Resource Server. In this flow we support step up authentication (using KBA or OTP) and device context based fine grained authorization during both user authentication to the workspace app and subsequent single sign on to corporate resources from any of the containerized apps. This is now possible because M&S uses its built-in integration with OAAM (using the Security Handler Plugin) to perform risk analysis based on the device and app context now available in this authentication.

Monday Nov 17, 2014

Mobile Security - A Fine Balance Between Usability & Security

Mobile is a new channel that any IT team needs to consider carefully.  Enterprise IT teams are familiar with securing access from the Web browser from desktops and laptops within the firewall, and remotely via VPN.  But access from mobile devices is relatively new. Especially when its from mobile apps, not just a web browser. An app that in theory is a trusted app. And the smartphones are no longer an IT provisioned mobile device (e.g. the standard Blackberry).  Like it or not, it's a bring your own device (BYOD) world.

You could try to install something that locks down the entire device. And if the device is ever lost or stolen, remotely wipe the device and everything in it. A bit heavy handed perhaps? I for one, have a ton of family pictures and personal information stored on my BYOD smartphone, and I suspect you do too. It makes me a bit uneasy to know that if I misplace my phone, all that information would be lost! (Guilty: I don't backup as often as I should)

So there's the rub, right? If you come down with a heavy handed approach to security, end users may look for ways to work around it, or not use it at all. Somewhat self defeating.  What if instead, security was provided at a more granular level? Separating personal v. work apps so that only work apps are controlled and secured? Lost phone?  Wipe the specific secured apps. Later find phone under the cushions of your couch? Ok, at least those pictures of Jr. are still there. :)

Sound too good to be true? Not so. Check out this recent blog post Oracle Mobile Security Suite in action on the exact scenario I just described.  

Want to see how Oracle's customers are going mobile? Don't miss the Northumbrian webcast this week on Nov 18th!

Monday Oct 20, 2014

Lost and Stolen Mobile Devices?

Lost and Stolen Mobile Devices - A Disaster Waiting to Happen?



The 'Oracle Mobile. Simply Connected.' global study found that people aged between 16 and 24 are more likely to find a way to access work data and applications on their mobile device–with or without their employers’ consent. Yet they are also the most likely to lose their mobile devices, or worse, have them stolen. To learn more, click here

Get real time information on Oracle Mobile by following us on Twitter @OracleMobile or subscribing to the Oracle Mobile blog

Monday Oct 06, 2014

Mobile Highlights from OOW14


Another successful Oracle OpenWorld! We saw drones cruising over Howard St. as well as the America’s Cup trophy and championship sailboat, plus the concert Wednesday night had some great weather. We dialed in the weather. Tthere’s an app for that,  I think it’s called Oracle ExaWeather Control Center  and it's built on Oracle MAF ;-)   There were a myriad of mobile sessions and hands-on-labs as mobile at Oracle continues into into high gear.  Some highlights included:


Oracle Alta User Interface

Used by Oracle’s cloud applications, cloud services and available for customer-developed applications, new UI design principles deliver elegant user interfaces and experiences for web and mobile applications. Quote from the audience: "We were thinking of starting to rewrite our front end in AngularJS, but this new Alta skin looks awesome!”


Oracle Mobile Cloud Service (MCS)- Simplify enterprise connectivity, any app, any data, any data - secure. The demos were great and the hands on labs were packed. Mobile + Cloud = Rethink Mobile


Preview of Oracle Mobile Application Accelerator (MAX) - a cloud-based offering that brings mobile application development capabilities to professionals with no previous software development experience. With Mobile Application Accelerator, program managers, power users, and business professionals can develop mobile applications quickly and visually through their web browser.

Voila! Enhanced Oracle Mobile Application Framework + Oracle Mobile Security Suite. To simplify secure mobile application development, Oracle is deepening the integration between Oracle Mobile Application Framework and Oracle Mobile Security Suite as part of the mobile application lifecycle management process. This integrated approach makes it easier for developers to create a seamless user experience, without compromising security.

Are you developing with Eclipse?  These two were announced prior to OpenWorld, and worth repeating - a new version of Oracle Mobile Application Framework development is now available on the latest update of Oracle Enterprise Pack for Eclipse!

And as with the continued adoption and use of Oracle Mobile Application Framework throughout Oracle and its customers, there are 14 New mobile apps for Oracle E-Business Suite!

Need to go hands on with mobile?  Mobile Application Framework Challenge - The Oracle Mobile Application Challenge invites developers to demonstrate how the Oracle Mobile Application Framework can be used to create and/or extend an enterprise application through mobile technology and then deploy that application to a handheld device. 


If you weren’t able to make some of these great sessions, don’t worry.  Oracle Technology Network is sponsoring a Virtual Technology Summit covering mobile topics and more. 

Phew! More mobile? Go to Oracle.com/mobile and then follow us on Twitter @OracleMobile

Wednesday Jun 18, 2014

Standards Corner: IETF Revisits HTTP/1.1

HTTP has been one of the most successful IETF specifications aside from the Internet itself. When it was created in 1999, the authors of HTTP had no idea how big and how widely used it would be.  For many years the focus was on the evolving world-wide-web and HTML. The web itself went through many transformations with the introduction of Ajax and then HTML5 by the W3C.  Meanwhile, non-browser use of HTTP has been steadily growing especially with the exploding popularity of smart devices, the Internet of Things, and in particular RESTful APIs.

Last week, the IETF officially did away with RFC2616, the main specification document that defined HTTP/1.1. RFC2616 has been broken up into 6 specifications, RFC7230 through 7235.


[Read More]

Friday May 30, 2014

Standards Corner: Preventing Pervasive Monitoring

On Wednesday night, I watched NBC’s interview of Edward Snowden. The past year has been tumultuous one in the IT security industry. There has been some amazing revelations about the activities of governments around the world; and, we have had several instances of major security bugs in key security libraries: Apple's ‘gotofail’ bug  the OpenSSL Heartbleed bug, not to mention Java’s zero day bug, and others. Snowden’s information showed the IT industry has been underestimating the need for security, and highlighted a general trend of lax use of TLS and poorly implemented security on the Internet. This did not go unnoticed in the standards community and in particular the IETF.[Read More]

Monday May 05, 2014

Identity Enabling Mobile Security

Authored by Suresh Sridharan, Business Manager, Security

Smart Connected Device Growth: The growth of smartphones and tablet devices has been phenomenal over the past 4 years. Global smartphone shipments have grown extensively from approximately 100m units in 2010 to 725m units in 2012, reaching 1b devices in January 2014. Simultaneously, tablet shipments have grown from 5m units in 2010 to approximately 125m units in 2012. Tablet numbers are likely to touch 400m units by 2017.

This explosion in the shipment of smart connected devices has also led to a significant change in users’ behavior and expectations.

In a corporate environment, the phenomenon of Bring Your Own Device (BYOD) is gaining momentum. Gartner predicts that 38% of all organizations will have an “all BYOD” policy by 2016, up from 6% today (2014). If the same device is being used for both personal and work purposes, users will expect the same experience across corporate and personal apps. Further, employees regularly use similar apps for both business and personal purposes examples include: WhatsApp, Skype and Facebook..

Mobile devices present benefits both for organizations and for individuals. Surveys show that a BYOD policy helps employee gain an extra 37 minutes of productive time every week. To increase sales productivity, some of our customers are mobile-enabling sales teams to ensure that they have access to the latest information when they meet with customers.

Security is one of the most significant mobile device challenges both for consumers and for enterprises. Although mobile-commerce is growing rapidly (to $25b in the US alone), 60% all retail transactions that get to the checkout stage are abandoned with security as one of the main causes, according to recent data.

As corporate data on the device co-mingles with user data on a personal device, it becomes challenging for enterprises to impose restrictions on the use of devices. About 40% of adults do not protect their smartphones with a passcode, with married adults that number goes up to 45%.
In order to address security challenges, IT should be able to define and enforce policies that meet security and privacy standards to protect intellectual property, other corporate assets and optionally, personal employee data.

There are three things to consider while implementing security in the new mobile age:

  1. Implement a strong identity management system that allows one to manage users and ensure that they are able to access information based on the principle of least privilege to carry out the necessary tasks.
  2. Implement an access management solution to secure data based on who is accessing it and the risk profile of that specific transaction.
  3. Implement a mobile security solution that will help secure data on the device and ensure corporate security policies are enforced on the device from which assets are being accessed.

In essence, organizations need to ensure that application data is secured based on the user accessing it and the device and location from which it is being secured. Securing the device and the user identity, in isolation, is not sufficient.

Interested in following security blog more closely, check out the Oracle Identity Management blog here

Wednesday Apr 09, 2014

Standards Corner: Basic Auth MUST Die!

Basic Authentication (part of RFC2617) was developed along with HTTP1.1 (RFC2616) when the web was relatively new. This specification envisioned that user-agents (browsers) would ask users for their user-id and password and then pass the encoded information to the web server via the HTTP Authorization header. This form of authentication is still being requested today. Why?[Read More]

Wednesday Feb 19, 2014

Management of Oracle Database Authorization with Oracle Identity Manager

Oracle Identity Manager projects usually starts with management of user identity life-cycle from trusted resource to target systems. After completed user's identity management in first step second step is entitlement management of user's. For example role management of user's on Oracle Databases or Windows Servers or any custom applications.

I want to share my experience about management of Oracle Database authorization through Oracle Identity Manager in a project on this post.

We used three component for management of Oracle Database Authorization. These are Oracle Database Enterprise User Security(EUS), Oracle Unified Directory(OUD) and Oracle Identity Manager(OIM).  

Enterprise User Security enables you to centrally manage database users across the enterprise. This is a component of Oracle Database.

Oracle Unified Directory is a comprehensive next generation directory service that is designed to address large deployments, to provide high performance, to be highly extensive and to be easy to deploy, manage, and monitor. Oracle Unified Directory is used to role management integrated with Enterprise User Security.Integrating Oracle Unified Directory with Oracle's Enterprise User Security (EUS) enables you to store user identities in Oracle Unified Directory for Oracle Database authentication.

Oracle Identity Manager is used to management of Oracle Unified Directory user's life-cycle with right value and user's group.All of this process stars from Oracle Identity Manager and then insert user to OUD group or delete user from OUD group.So user will have rights via Oracle Unified Directory and Enterprise User Security.


Following steps explain integration of these three tools.

1- Enabling Oracle Unified Directory for Enterprise User Security by using Oracle Directory Services Manager(ODSM).

  • Connect to the directory server from ODSM.
  • Select the Home tab.
  • Under the Configuration menu, select Create Base DN.
  • On the Configuration Wizard, enter the details of the new suffix.
  • Select the EUS Enabled check box.
  • Click Create to add the new, EUS-enabled suffix.

2- After OUD has been enabled for EUS, you must update the realm information in the OUD configuration by performing the following steps:

  • Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif.
  • Edit the modifyRealm.ldif file as follows:

-Replace dc=example,dc=com with the correct naming context for your server instance.

-Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.

  • Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:

- $ ldapmodify -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -v -f modifyRealm.ldif

3- Complete below configuration on Oracle Database

  • Configure your database for directory usage by using NetCA.
  • Register the database with the directory by using DBCA.
  • Creating a shared schema in the database.
  • Mapping enterprise users to the shared schema.

4-Install Oracle Internet Directory Connector to Oracle Identity Manager because of user provisioning to Oracle Unified Directory and manage groups so roles.

When complete all of above steps.First Enterprise User Security enabled on DB,then create DB roles -enterprise role- and map this roles to the Oracle Unified Directory global roles.And last manage user's Oracle database authorization with Oracle Identity Manager through Oracle Unified Directory.

P.S.: if you want to manage Oracle Database 9i you have to use Oracle Internet Directory instead of Oracle Unified Directory.

About me:

Mustafa Kaya is a Senior Consultant in Oracle Fusion Middleware Team, living in Istanbul. Before coming to Oracle, he worked in teams developing web applications and backend services at a telco company. He is a Java technology enthusiast, software engineer and addicted to learn new technologies,develop new ideas.

Follow Mustafa on Twitter,Connect on LinkedIn, and visit his site for Oracle Fusion Middleware related tips.

Thursday Dec 12, 2013

Going Mobile?...ORACLE is!

If you didn’t hear about it at Oracle Open World, if you didn’t read our Press Releases … if you didn’t see our homepage banner, OR EVEN IF YOU DID .... you definitely need to register for our Oracle Mobile Strategy Update - to get the latest on what Oracle's Mobile Strategy. Mobile is hot and it is here to stay … but today the complexity is no longer just about how to develop mobile apps, it is also about how to integrate, secure, deploy and manage with the backend systems.

In this video webcast, Gartner, leading industry analyst, will provide an overview of the current mobile landscape, the challenges and opportunities for enterprises, then our top Oracle executives will discuss how Oracle is simplifying enterprise mobility and demonstrate how you can easily develop, integrate, secure, deploy and manage .

Let’s chat  or tweet #OracleMobile during the webcast at Dec. 12, 2014 at 10:00AM (PT) and be sure to visit: www.oracle.com/mobile

Tuesday Oct 22, 2013

It's Coming: Chalk Talk with John

...John Brunswick that is.

Who is this John Brunswick, you ask? John Brunswick is an Enterprise Architect with Oracle. As an Oracle Enterprise Architect, John focuses on the alignment of technical capabilities in support of business vision and objectives, as well as the overall business value of technology. What's more he is pretty handy with animation and digital videos as you will see shortly. Starting tomorrow, we will host a bi-weekly column with John called "Chalk Talk with John".

In our "Chalk Talk with John" series, John will leverage his skills, experience and expertise (& his passion in digital animation) to discuss technology in business terms or as he puts it "so my ma understands what I do for a living". Through this series, John will explore the practical value of Middleware in the context of two fictional communities, shared through analogies aligned to enterprise technology.  This format offers business stakeholders and IT a common language for understanding the benefits of technology in support of their business initiatives, regardless of their current level of technical knowledge.

So, be sure to tune in tomorrow and every 2 weeks for "Chalk Talk with John".


About

Get the latest on all things Middleware. Join Oracle's Middleware Community today.

Find Us on facebook Follow us on twitter Catch Us on YouTube 

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today