Thursday Jul 19, 2012

Oracle Identity Management 11g R2: Securing the New Digital Experience

Today, the 11g R2 version of the Oracle Identity and Access Management platform was formally announced, with the tagline, “Optimized to Secure the New Digital Experience.”

We in the information security organizations of Oracle have been waiting anxiously for this announcement.  This week, the North American Sales and Sales Consulting organizations gathered in Santa Clara, CA, to be training in this exciting new set of products.

There are three major reasons why I believe this announcement is a big step forward for our customers.

First, this release delivers advanced functionality that gives really compelling business reasons for existing Sun Identity Manager customers to migrate to the Oracle Platform. It is no longer an issue of “moving from point A to point A in functionality,” just to get on the Oracle platform before premium support expires for the Sun product.  It means moving to the Oracle platform to leverage really innovative capabilities that will accelerate business value..

Second, this platform brings to reality a dream we were promoting at Sun as part of Project Destination way back before the Oracle acquisition: integrating Identity and SOA technologies to deliver “highly personalized, identity-enabled, blended applications on mobile devices.”  The new Mobile and Social capabilities and Secure API functionality added to the Oracle Access Management platform, provide a fully-integrated platform to deliver such functionality more easily and more securely than ever before.  Back at Sun, many of our customers adopted the vision we espoused, but making it happen was pretty hard work.  Now, the Oracle Access Management platform does all the heavy lifting for us.

Third, this release shows continued, significant progress towards Oracle’s vision of a truly integrated, service-oriented architecture for Identity and Access Management.  No longer is the Oracle suite just a nice collection of acquired products.  From my perspective as an Enterprise Architect, it is great to see the convergence of data models, functionality, administration services and architectural components.  It is the simplification and streamlining of architecture that will ultimately solve the complexity our customers face.

So, it will be great to work with our customers to show how they can leverage this great platform to meet their business needs. Saddle up for a great ride!

Wednesday Jun 20, 2012

Oracle Event: Database Enterprise User Security

One of the high-value benefits of an integrated Identity and Access Management platform is the ability to leverage a unified corporate directory as the primary authentication source for database access. On July 11, 2012 at 08:00 am PDT, Oracle will host a webcast showing how Enterprise User Security (EUS) can be used to externalize and centrally manage database users in a directory server. The webcast will briefly introduce EUS, followed by a detailed discussion about the various directory options that are supported, including integration with Microsoft Active Directory. We'll conclude how to avoid common pitfalls deploying EUS with directory services. Discussion topics will include
  • Understanding EUS basics
  • Understanding EUS and directory integration options
  • Avoiding common EUS deployment mistakes
Make sure to register and mark this date on your calendar! - Click here to register.

Friday Apr 27, 2012

Titantic Catastrophe: Compliant Doesn’t Mean Secure

TitanicApril 15th marked the 100th anniverasary of the sinking of the RMS Titanic - by any measure a catastrophe of epic proportions. As we think about lessons collectively learned from this event, may I suggest a nugget worth remembering that has little to do with sinking ships, but a lot to do with the enterprise we serve today? According to a recent ABC article:
... the Titanic was fully compliant with all marine laws. The British Board of Trade required all vessels above 10,000 tonnes to carry sixteen lifeboats. The White Star Line ensured that the Titanic exceeded the requirements by four boats.
But we all know that twenty lifeboats were not nearly enough for this ship.  The article continues:
But the ship was 46,328 tonnes. The Board of Trade hadn't updated its regulations for nearly 20 years. ... The lifeboat regulations were written for a different era and enforced unthinkingly.
"Enforced unthinkingly."  Therein lies our little lesson. In discipline of information security, we may be tempted to think that "compliant" means secure.  But we must not accept that at face value.  We must really understand what regulations mean and how they apply to our enterprises.  PCI DSS or HIPAA compliance may go part way, but do they really go far enough to protect our vital information that is the lifeblood of our businesses? Let's make sure we have adequate "lifeboats" and not rely completely on those who write regulations to protect our businesses.

Thursday Mar 15, 2012

The Linked Data Strategy for Global Identity


A colleague recently shared an interesting article with me.  "The Linked Data Strategy for Global Identity" by Hugh Glaser and Harry Halpin focuses on dealing with "the Identity problem in the context of linked data."  Unfortunately, there is a charge to by the article, but here is an overview.

The topic is introduced this way:

Identity is easily one of the most difficult research areas on the Web and Semantic Web, and one that needs both practical solutions and multidisciplinary research. Identity is how to refer reliably to anything, abstract or more concrete, over time and space, and in different contexts. We’re used to identity being quite simple, as your name easily refers to you when another person is speaking to you. Yet on closer inspection, and at a Web scale, identity is quite tricky, as when you type your name into a search engine and see that it can refer to many other people in different contexts.

I can identify with that problem - there are many "Mark Dixons" in the world who are far more famous than I.  For example, I am quite sure that "Emmy-nominated and AP Award winning Channel 3 Early Warning Weather Meteorologist Mark Dixon" is not the author of this blog.

The whole topic of Linked Data is fascinating to me.  A Wikipedia article on the subject states:

Linked data describes a method of publishing structured data so that it can be interlinked and become more useful. It builds upon standard Web technologies such as HTTP and URIs, but rather than using them to serve web pages for human readers, it extends them to share information in a way that can be read automatically by computers. This enables data from different sources to be connected and queried.

Again, I can relate … there exists a myriad of data about me on the Internet, some published by me and some by others.  It is really very disjoint and often unconnected.  If people poke around at the information, they may be able to related disparate items because they recognize my photo or other descriptive attributes.  However, it would be very difficult for computers to automatically related all the different items. (That might now be such a bad think in many cases).

After exploring a few alternative approaches to this thorny problem, the Global Identity article concludes:

The entire bet of the linked data enterprise critically rests on using URIs to create identities for everything. Whether this succeeds might very well determine whether information integration will be trapped in centralized proprietary databases or integrated globally in a decentralized manner with open standards. Given the tremendous amount of data being created and the Web’s ubiquitous nature, URIs and equivalence links might be the best chance we have of solving the identity problem, transforming a profoundly difficult philosophical issue into a concrete engineering project.

It will be interesting to see what progress is made on this issue in upcoming years.

Resurrecting Discovering Identity on Blogs.Oracle.Com

In response to requests that I refresh my Discovering Identity blog that has been lying dormant on since February 2010, I will commence today to satisfy that request.

Discovering Identity

I created this blog on  in May 2005 and updated it regularly until Oracle acquired Sun in February 2010, at which time I switched to self-publishing the blog at  The full archive of my posts from May 2005 to February 2010 is available on this site and also on the site.  From now on, I will publish items of interest to the Oracle community on both sites and address issues beyond that scope on the site.

If anyone has items you would like me to address on this blog, please let me know.


Mark Dixon 

Tuesday Feb 09, 2010

How Many iPhone Apps Do You Use?

On a recent trip out of town, while waiting in the Phoenix airport to board my flight, I suddenly become aware that I had really used a lot of apps on my iPhone that morning. So I counted the ones I had used – all 15 of them – before 10am.

  1. iphone2Mail
  2. Phone
  3. iPod
  4. Safari
  5. Messages
  6. Calendar
  7. Toodledo
  8. Evernote
  9. Tweetie
  10. Facebook
  11. Brightkite
  12. Livestrong
  13. AP Mobile
  14. Weather Channel
  15. Tripit

I went on to use some more apps later in the day, but this all goes to prove that the iPhone has become an indispensible part of my life – helping me be more productive, connected and responsive to the people in my life.

What apps are a critical part of your everyday life?

Technorati Tags: , ,

Oracle Street in Mesa, Arizona

When he learned I would be re-joining Oracle after my time at Sun Microsystems, my son suggested that I take a drive down Oracle Street in Mesa, Arizona, to celebrate.  It is a small street with a big name, located about a mile from my house.  Here is evidence that I took the trip.

Oracle Street in Mesa, AZ

Technorati Tags: ,

Identity Services for Cloud Computing

To support recent discussions about Identity Management and Cloud computing, I divided the types of Identity Services that might be needed to support Application services into three major categories as shown in the following diagram and explained in a bit more detail below:


The specific services provided in each category could include:

Identity Administration Services

  • Create, update, delete identities
  • Password/credential management
  • Entitlement definition/management
  • Provision/de-provision access privileges
  • Role engineering/management
  • Policy definition/management

Identity Enforcement Services

  • Authentication
  • Authorization
  • Access control
  • Federation
  • Web services security

Identity Audit Services

  • Reporting
  • Evaluation
  • Attestation
  • Validation
  • Remediation

Did I miss any services that you think should be present?  Any input on the categories or types of services?  Any input or criticism would be most welcome.

Thursday Feb 04, 2010

Users of Cloud-based Services

The following chart may be helpful as we consider the different types of users that should be addressed by Identity and Access Management (IAM) technology and processes in cloud computing.

CloudUsers At the Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) layers, the only users are administrators of the platform or infrastructure services, respectively.  However, these administrative users may be either on the provider side or on the recipient or enterprise side.  End users, whether within the enterprise (employees or contractors) or external to the enterprise (customers and partners), only exist at the application layer or Software as as Service (SaaS) layer.

This illustrates how cloud computing introduces increased complexity into IAM. Not only do the different layers (PaaS, IaaS and SaaS) have unique requirements, but multiple organizations (e.g. provider and enterprise) need to be considered.

For example, the nature of PaaS services will require provider administrators to have root access to the operating system, while enterprise administrators at the SaaS level may only need access to application configuration functions and external SaaS users only need to access to selected application functions.

Hopefully, this provides food for thought as we explore IAM in cloud computing.  I’d be grateful to hear your comments.

Friday Jan 29, 2010

Boomeranging Back to Oracle


  • noun, “a bent or curved piece of tough wood used by the Australian Aborigines as a throwing club, one form of which can be thrown so as to return to the thrower.”
  • verb, “to come back or return, as a boomerang”

Boomerang I first joined Oracle in 1997, as a pre-sales consultant on the Oracle Telecommunications sales team, and then spent an intense three years literally travelling around the world in support of Oracle sales activities to many telecommunications companies.  I learned much, worked with outstanding people, had great experiences, and then was lured away to a Silicon Valley startup just before the .com bubble burst. A series of interesting experiences with small companies led me to Sun.  It turns out that the executive who initially hired me at Oracle was the same one who referred me into Sun.

So now, after nearly a decade,  I will be leaping back into the Oracle fold with my Sun colleagues, eager with anticipation, looking forward to many more exciting years.

Technorati Tags: , ,

A Tribute to Friends

As Sun transitions into Oracle, the bright expectations of new opportunities have been accompanied with the gut-wrenching impact of learning which friends were not invited to make the leap.  Thursday and Friday were difficult for me, as I heard from outstanding people I have learned to admire and trust that they were opening new doors in their lives.

As a tribute to them and all other friends I have come to know and respect during my sojourn at Sun, I offer a few lines I penned several years ago ...

tapestryA Tapestry Of Miracles

Like brilliant golden strands
Woven delicately yet boldly
Among more dreary threads
To create a magnificent tapestry,
Our lives converge
In brief but sparkling brightness,
And then intertwine into
Radiant relationships
Borne of common hopes and dreams.

Countless encounters
Of human souls,
Guided by an unseen hand,
Link our lives together,
Creating cascading
Miracles of light,
Illuminating our hearts and minds
Amidst the harshness and the gloom
Of mortal life,
Ever weaving and preparing
The glorious, eternal tapestry
Of humankind.

Mark G. Dixon
November 15, 1996

Photo credit: A quilt entitled “The Woodpeckers” by Kathy Swartz, based on a tapestry of the same name by William Morris.

Technorati Tags: , ,

Thursday Jan 28, 2010

Identity-Enabled Patient Consent Management

Last Thursday, January 21st, I gave a presentation at the Sun Horizons conference, “Healthcare Integration Through a New Perspective.”  The title of my talk was “Identity Management: Securing Information in the HIPAA Environment.”  I explored how the complementary functionality of Identity Management and Master Patient Index technologies can enable effective Patient Consent Management, a vital requirement for online health information networks.

A copy of my presentation deck is available for download here.

At the heart of my the presentation was the following diagram, which illustrates major components required in a Patient Consent Management system:


A brief explanation of key components follows:

Identity and Role Repository

IAM technology and methods provide the foundation for an effective patient consent management system.  An Identity and Role Repository contains Identities, roles and access control credentials necessary to support the consent system.  This repository includes:

  • Patients
  • Providers
  • Access Rights
  • Roles (map business responsibilities to access rights)
  • Override Rights (Only users with specific roles can perform override without consent)

Consent Registry

A consent registry is required to specify what permissions have been granted by patients, within the allowable limits specified by each applicable jurisdiction.   Some of the key attributes include:

  • Consent Permissions for
    • Patients
    • Organizations
    • Users
  • System-wide mask (everyone)
  • Fine gained access
  • Include or exclude attributes
  • Accommodation for multiple jurisdictions

Master Patient Index

A Master Patient Index enables correlation of patient data across multiple repositories.  This is essential because patient records are typically help in multiple locations.  In other cases, if patient records exist in the same physical data warehouse, they are often logically separated. 

Federated Data Access

If patient data is located in physically or logically separate locations, Federated data access controlled allows access across domain boundaries without compromising the privacy or integrity of individual patient record repositories.

Data Access Services

By providing a set of centralized data access services governed by IAM, the Consent Registry and the Master Patient Index, a secure method of patient data access is possible.

Wednesday Jan 27, 2010

New Luggage Wheels

I recently replaced the wheels on my roll-aboard suitcase with inline skate wheels.  So much for a run-of-the-mill black-on-black look for my luggage!  I hope the fact that I chose orange rather than red doesn’t get in the way of success with Oracle.

New Luggage Wheels
Technorati Tags: ,

Oracle and Sun Luggage Tags

In August, 2007, the Sun National Sales Conference featured Oracle/Sun luggage tags for all attendees, which was terribly ironic for those of us in the software business, which competed head to head with Oracle.  Little did we realize at that time how prophetic those luggage tags would be!

Oracle Sun Luggage Tags
Technorati Tags: ,

So bye-bye, dear 'ole S-M-I

oraclesun Thanks to my colleague Patie McCracken for sharing this nostalgic song ... to the tune of the old favorite “American Pie” by Don McLean.  Patie isn't the author, but she received it from colleagues in Europe.

  A long, long time ago....
  I can still remember when
  Unix used to make them smile.
  And we knew that if we had a chance
  Sun could make those networks dance
  And, maybe, they'd be happy for a while.

  But DEC and Apollo make us shiver
  With every workstation they'd deliver.
  Competition camped out on doorsteps
  We had to fight for each step.

  I remember how hard we tried
  To win each system that they buy
  Yes, something touched me deep inside
  The day Sun Microsystems died.

  So bye-bye, dear 'ole S--M--I
  We drove those networks to the limit
  And made applications fly!!
  Them corporate boys have kissed Sun good-bye,
  Singing, "Time to give Oracle a try.
  Time to give Oracle a try!!"

  Have you heard of Solaris OS?
  And do you believe in Open Source?
  If the European Union tells you so.....
  Do you have faith in MySQL?
  Can Java save your mortal soul?
  And, can you keep data from moving slow....

  Well, I know that Larry's in the groove
  `cause I saw his keynote on You-Tube.
  Oracle and Sun have hit the news!!
  Man, I dig them targeting Big Blue.

  I was a great Sun Sales Rep kicking butt
  With a SPARC based server and tons of spunk
  But I knew I was out of luck
  The day the Sun Microsystems died.

  So bye-bye, dear 'ole S--M--I
  We drove those networks to the limit
  And made applications fly!!
  Them corporate boys have kissed Sun good-bye,
  Singing,  "Time to give Oracle a try.
  Time to give Oracle a try!!"

  For nearly 27 years we've been on our own
  Now our revenue's gone down and confidence is blown.
  But, that's not how it used to be.
  When Scott ruled with Ed and Joe,
  And installed systems around the globe
  With a OS that came from BSD....

  Oh, and while Scott was flying around,
  The jester grabbed his SMI crown.
  The stock-holders were concerned;
  The SUNW brand was over turned.

  While Johnathan played his agenda in the dark,
  IBIS ran in stops and starts,
  We just kept selling Solaris and Sparc
  The day Sun Microystems died.

  We were singing,
  Bye-bye, dear 'ole S--M--I
  We drove those networks to the limit
  And made applications fly
  Them corporate boys have kissed Sun good-bye.
  Singing, "Time to give Oracle a try.
  Time to give Oracle a try!!"

  Re-orgs and RIFs in a March disaster.
  The IBM bid fell upon us in a news flash after
  Analysts screamed high and then fell fast......
  IBM's bid landed foul on the grass.
  The players tried for an Oracle pass,
  With the European Union looking on aghast.

  This acquisition news was sweet perfume.
  The industry spun up many tunes.
  The Stock holders all lined up to dance,
  But...they never got the chance!
  `cause when Oracle tried to take the field;
  The European Union refused to yield.
  Do you recall what was revealed
  The day the day Sun Microsystems died?

  They started singing,
  Bye-bye, dear 'ole S--M--I
  You drove those networks to the limit
  And made applications fly!!
  Them corporate boys have kissed Sun good-bye.
  Singing,  "Time to give Oracle a try.
  Time to give Oracle a try!!"

  So, now we are all here in one place,
  An acquisition stuck in space
  With no time left to start again.
  So, Larry be nimble, Larry be quick!
  Use your brains and might and wit,
  'Cause profit is the market's only friend.

  As this plays out on the world stage
  My hands are clenched in fists of rage.
  Can this angel born in hell
  Break those devils' spell?
  Our company falls deeper every night
  And crumbles under this burdensome rite,
  I saw the competition laughing with delight
  The day Sun Microsystems died.

  They were singing,
  Bye-bye, dear 'ole S--M--I
  You drove those networks to the limit
  And made applications fly!!
  Them corporate boys have kissed Sun good-bye,
  Singing, "Time to give Oracle a try.
  Time to give Oracle a try."

  I met a guy who wrote some code
  And I asked him what the future bodes,
  But he just smiled and typed away.
  So, I went on to the Inter Net
  Where I'd played with Sun years before,
  But the sites there said that Sun had gone away.

  And in the streets: the customers screamed,
  The partners cried, and the programmers dreamed.
  But not a word was spoken;
  The systems all were broken.
  And those groups I admire most:
  The Engineers, Sales Reps and Service folks,
  They caught the last train for the coast
  The day Sun Microsytems died.

  They were singing,
  Bye-bye, dear 'ole S--M--I
  We drove those networks to the limit
  And made applications fly!!
  Them corporate boys have kissed Sun good-bye,
  Singing, "Time to give Oracle a try.
  Time to give Oracle a try."

  Bye-bye, dear 'ole S--M--I
  We drove those networks to the limit
  And made applications fly!!
  Them corporate boys have kissed Sun good-bye,
  Singing, "Time to give Oracle a try.
  Time to give Oracle a try."

Technorati Tags: ,

Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« June 2016