Thursday Jul 19, 2012

Oracle Identity Management 11g R2: Securing the New Digital Experience

Today, the 11g R2 version of the Oracle Identity and Access Management platform was formally announced, with the tagline, “Optimized to Secure the New Digital Experience.”

We in the information security organizations of Oracle have been waiting anxiously for this announcement.  This week, the North American Sales and Sales Consulting organizations gathered in Santa Clara, CA, to be training in this exciting new set of products.

There are three major reasons why I believe this announcement is a big step forward for our customers.

First, this release delivers advanced functionality that gives really compelling business reasons for existing Sun Identity Manager customers to migrate to the Oracle Platform. It is no longer an issue of “moving from point A to point A in functionality,” just to get on the Oracle platform before premium support expires for the Sun product.  It means moving to the Oracle platform to leverage really innovative capabilities that will accelerate business value..

Second, this platform brings to reality a dream we were promoting at Sun as part of Project Destination way back before the Oracle acquisition: integrating Identity and SOA technologies to deliver “highly personalized, identity-enabled, blended applications on mobile devices.”  The new Mobile and Social capabilities and Secure API functionality added to the Oracle Access Management platform, provide a fully-integrated platform to deliver such functionality more easily and more securely than ever before.  Back at Sun, many of our customers adopted the vision we espoused, but making it happen was pretty hard work.  Now, the Oracle Access Management platform does all the heavy lifting for us.

Third, this release shows continued, significant progress towards Oracle’s vision of a truly integrated, service-oriented architecture for Identity and Access Management.  No longer is the Oracle suite just a nice collection of acquired products.  From my perspective as an Enterprise Architect, it is great to see the convergence of data models, functionality, administration services and architectural components.  It is the simplification and streamlining of architecture that will ultimately solve the complexity our customers face.

So, it will be great to work with our customers to show how they can leverage this great platform to meet their business needs. Saddle up for a great ride!

Wednesday Jun 20, 2012

Oracle Event: Database Enterprise User Security

One of the high-value benefits of an integrated Identity and Access Management platform is the ability to leverage a unified corporate directory as the primary authentication source for database access. On July 11, 2012 at 08:00 am PDT, Oracle will host a webcast showing how Enterprise User Security (EUS) can be used to externalize and centrally manage database users in a directory server. The webcast will briefly introduce EUS, followed by a detailed discussion about the various directory options that are supported, including integration with Microsoft Active Directory. We'll conclude how to avoid common pitfalls deploying EUS with directory services. Discussion topics will include
  • Understanding EUS basics
  • Understanding EUS and directory integration options
  • Avoiding common EUS deployment mistakes
Make sure to register and mark this date on your calendar! - Click here to register.

Friday Apr 27, 2012

Titantic Catastrophe: Compliant Doesn’t Mean Secure

TitanicApril 15th marked the 100th anniverasary of the sinking of the RMS Titanic - by any measure a catastrophe of epic proportions. As we think about lessons collectively learned from this event, may I suggest a nugget worth remembering that has little to do with sinking ships, but a lot to do with the enterprise we serve today? According to a recent ABC article:
... the Titanic was fully compliant with all marine laws. The British Board of Trade required all vessels above 10,000 tonnes to carry sixteen lifeboats. The White Star Line ensured that the Titanic exceeded the requirements by four boats.
But we all know that twenty lifeboats were not nearly enough for this ship.  The article continues:
But the ship was 46,328 tonnes. The Board of Trade hadn't updated its regulations for nearly 20 years. ... The lifeboat regulations were written for a different era and enforced unthinkingly.
"Enforced unthinkingly."  Therein lies our little lesson. In discipline of information security, we may be tempted to think that "compliant" means secure.  But we must not accept that at face value.  We must really understand what regulations mean and how they apply to our enterprises.  PCI DSS or HIPAA compliance may go part way, but do they really go far enough to protect our vital information that is the lifeblood of our businesses? Let's make sure we have adequate "lifeboats" and not rely completely on those who write regulations to protect our businesses.

Thursday Mar 15, 2012

The Linked Data Strategy for Global Identity

Links

A colleague recently shared an interesting article with me.  "The Linked Data Strategy for Global Identity" by Hugh Glaser and Harry Halpin focuses on dealing with "the Identity problem in the context of linked data."  Unfortunately, there is a charge to by the article, but here is an overview.

The topic is introduced this way:

Identity is easily one of the most difficult research areas on the Web and Semantic Web, and one that needs both practical solutions and multidisciplinary research. Identity is how to refer reliably to anything, abstract or more concrete, over time and space, and in different contexts. We’re used to identity being quite simple, as your name easily refers to you when another person is speaking to you. Yet on closer inspection, and at a Web scale, identity is quite tricky, as when you type your name into a search engine and see that it can refer to many other people in different contexts.

I can identify with that problem - there are many "Mark Dixons" in the world who are far more famous than I.  For example, I am quite sure that "Emmy-nominated and AP Award winning Channel 3 Early Warning Weather Meteorologist Mark Dixon" is not the author of this blog.

The whole topic of Linked Data is fascinating to me.  A Wikipedia article on the subject states:

Linked data describes a method of publishing structured data so that it can be interlinked and become more useful. It builds upon standard Web technologies such as HTTP and URIs, but rather than using them to serve web pages for human readers, it extends them to share information in a way that can be read automatically by computers. This enables data from different sources to be connected and queried.

Again, I can relate … there exists a myriad of data about me on the Internet, some published by me and some by others.  It is really very disjoint and often unconnected.  If people poke around at the information, they may be able to related disparate items because they recognize my photo or other descriptive attributes.  However, it would be very difficult for computers to automatically related all the different items. (That might now be such a bad think in many cases).

After exploring a few alternative approaches to this thorny problem, the Global Identity article concludes:

The entire bet of the linked data enterprise critically rests on using URIs to create identities for everything. Whether this succeeds might very well determine whether information integration will be trapped in centralized proprietary databases or integrated globally in a decentralized manner with open standards. Given the tremendous amount of data being created and the Web’s ubiquitous nature, URIs and equivalence links might be the best chance we have of solving the identity problem, transforming a profoundly difficult philosophical issue into a concrete engineering project.

It will be interesting to see what progress is made on this issue in upcoming years.

Tuesday Dec 22, 2009

Experimenting with FOAF

Thanks to the help of Henry Story, who recently presented the concepts of FOAF (an acronym of Friend of a friend) in a Sun Identity Interest teleconference forum, I have begun to experiment a bit with the technology.

According to the FOAF Wikipedia article:

FOAF is a descriptive vocabulary expressed using the Resource Description Framework (RDF) and the Web Ontology Language (OWL). Computers may use these FOAF profiles to find, for example, all people living in Europe, or to list all people both you and a friend of yours know. This is accomplished by defining relationships between people. Each profile has a unique identifier (such as the person's e-mail addresses, a Jabber ID, or a URI of the homepage or weblog of the person), which is used when defining these relationships.

The FOAF project, which defines and extends the vocabulary of a FOAF profile, was started in 2000 by Libby Miller and Dan Brickley. It can be considered the first Social Semantic Web application, in that it combines RDF technology with 'Social Web' concerns.

The FOAF project provides a way for me to maintain my personal Identity profile and link to others I know, creating a global social graph of acquainted people.  I don’t know much yet, but am intrigued by its possibilities.

You can visit my FOAF Card by clicking here, or view the XML for the corresponding FOAF file by clicking here.

If you have a FOAF file and would like to be added to my “knows” list, please send my the URL for your FOAF file.

Thanks!  I’ll keep you updated on my progress.

My Christmas Wish List: Personal Identity-Persona Service

christmas_wish_list It is almost Christmas Eve.  In the midst of an insomnia episode, I conjured up a crazy notion of making a Christmas wish list of things I want from a Personal Identity-Persona Service (PIPS).   Your list may be different, but here’s mine.

  1. Secure Identity Bank Vault for my Identity Profile and Credentials.  Of all the potential Identity Providers jostling for prominence in the market, I favor my bank the most.  They take pretty good care of my money, enable me to selectively send some of my money to other people, and seem to be sensitive to the issues surrounding security, privacy, liability and potential cyber threats.  I think I could trust them to take good care of my online Identity.  Think of it as the bank providing a safe deposit box for all the Identity attributes that I want to store and use, and providing the means to selectively take out Identity attributes for presentation to other people.  This vault should be located in a secure cloud, so I can get access from any computer or mobile device of my choice.  I think this is a concept even my technology-challenged wife, mother and father could readily understand and accept. 
  2. Really Easy to use Identity/Profile/Persona Editor.  With my Secure Identity Bank Vault in place, I need a really easy to use way to fill that vault with my Identity information and maintain it over time.  This will include the information I would normally include provide to an online merchant or social network, as well as subsets of such information that I can define for the purpose of presenting different personae to facilitate different online experiences.
  3. Multiple Levels of Identity Assurance or Validation.  I want to make sure that other people can’t impersonate me by setting up a  fake Identity Bank Vault for Mark Dixon that could be used to conduct illicit transactions.  To do that, methods need to be in place to validate the claims I make about my identity, such as birthplace, social security number, credit card numbers, etc.  Progressively rigorous checks of my background information will allow me to confidently present Bronze, Silver, Gold or Platinum Identity credentials to enable different levels of online interaction.
  4. Really Easy to use Persona Selector.  I need the ability to easily select from a set of personae I have defined in the Identity Bank Vault.   For example, I will most likely have one persona to use for online shopping, one for interaction with state government, and another for using my church website.  This selector needs to be immediately accessible, probably in the browser toolbar.  For mobile use, the persona selector needs to be easily accessed and presented by any online application that requires me to log in or pay for services.
  5. Multiple Levels of Secure Authentication.  I want to make sure that no one can access and use my Identity Bank Vault or persona and credentials it contains without my explicit permission.  In some cases, I may want to simply surf the web and virtually window shop by identifying myself with a user name and password.  However, I would like to restrict access to any financial transactions or health care record access by requiring a digital certificate (probably on a USB fob) and perhaps with a fingerprint check (perhaps via that same USB device).
  6. Option to Use Separate Personae for Login and Payment.  In some cases, I may want to use an Internet Persona to poke around the web, do some window shopping and try things out.  I may want to log in to Amazon, eBay, Barnes and Noble or other merchants before I decide to buy.  None of these merchants needs to know my credit card information before I decide to buy something.  Therefore, I need an easy method for first identifying myself and subsequently presenting my payment method.
  7. Audit Reports.  I would like to get an online “Identity bank statement” each month or on demand, detailing the my use of PIPS service.  This would allow me to verify that all uses were legitimate and would help me determine if adjustments were needed in my profile or use of the service.
  8. Fraud Insurance.  If a privacy breach or other unauthrorized use of my Identity or credentials occur through no fault of my own, I would like to be insured against possible damages.  This would be similar to the fraud protection currently provided by credit card companies.

Of course, in order for a PIPS service to be worth much, social Networks, online merchants, government agencies and other relying parties will need to accept my PIPS profile and credentials.   But wouldn’t it be great if I could maintain one set of Identity and Profile information and have that available for consumption by any merchant or social network, according to my wishes?  I would be willing to pay a yearly fee for such a service, much like I pay certain bank fees now. Or, perhaps those fees would be waived if I maintained a certain account balance or averaged a certain transaction volume on a credit card issued by the bank.

Will something like this happen?  I think so.  Probably not in 2010.  By 2015? I certainly hope so.

Thursday Dec 10, 2009

Federated Identity for Electronic Medical Records

Many thanks to my good friend Jonathan Gershater for sending me the link to another excellent post about Identity and Healthcare.  I particularly like his illustration of using Federated Identity to facilitate trusted exchange of medical records between different medical service providers. 

A user of any (Healthcare) ServiceProvider, who has been issued a digital identity by the trusted IdentityProvider, may seamlessly interact with the healthcare providers (SPs). The user will present the digital identity issued by the IdP, the SP will verify the Identity, and the user will be granted access to the Service Provider’s application. However, based on the user’s attributes and role, the functionality available to the user will vary.  A physician may alter a medical record but only within their specialty ( a dermatologist cannot alter a prescription for spectacles). A pharmacist may view but not alter the prescription for insulin in a healthrecord.  A patient may only view but not alter their medical record.

Federated Identity for Electronic Medical Records

Identity Enables NHIN or Health Internet

Jonathan Gershater recently published an interesting blog post exploring the conceptual differences between the National Health Information Network (NHIN) infrastructure, “a collection of standards, protocols, legal agreements, specifications, and services that enables the secure exchange of health information over the internet,” and an alternate approach known as the Health Internet, “an open-market standards-based approach to enable the exchange and sharing of electronic health data, using existing Internet standard protocols and web technologies.”

Jonathan referenced two informative posts on The Health Care Blog and Practice Fusion’s blog.  I’m still trying to wrap my mind around the significance of these two architectural directions, but it certainly appears that Identity is a critical part of the solution, regardless of what alternative approach or derivatives thereof may emerge.  Any Electronic Health Record (EHR) system must be based upon secure, flexible and scalable Identity Management system.

Thank, Jonathan, for the excellent reference.

Trufina: Tackling the Tough Issue of Identity Assurance

trufina Last week I had a stimulating conversation with Jim Kinchley and Chris Madsen, executives of Trufina, a “provider of online identity verification and identity management services, enabling individuals to verify their identity attributes online, and providing the identity management tools for sharing that verified identity information with individuals and websites across the Internet.”

In October, I posted an article entitled Identity Trend 4: Identity Assurance, one of a series of posts about important trends in the Identity Management industry. In that post I proposed, “With the continual expansion of online fraud and other threats to online security and privacy, the need for Identity Assurance methods are rising.  Being able to certify the that the correct Identity credentials are issue to the correct user before access is attempted is an increasingly critical issue.”

A few days after I authored that post, I became aware of Trufina, signed up for an account, paid a small fee, and had my Identity verified through a series of online questions drawn from publicly available information about me that presumably only I would know.  As evidence of that successful vetting process, I posted a Trufina badge on this blog (see right column).  This badge visually represents that my identity had been verified by Trufina, and provides a way that blog visitors could request a Trufina ID Card with details I elect to share.  Do you want to see how it works?  Please click on the Trufina badge or click here, enter your email address, and I’ll send you a link to see my Trufina-verified Identity Card.

Trufina provides a public API to allow websites to take advantage of Trufina identity validation services.  For example, the Naymz online Professional Reputation Network allows members to link their Trufina Verified ID to the Naymz profile.  In such a case, the Trufina Verified ID badge is shown on the Naymz member profile.  I don’t use the Naymz network as extensively as LinkedIn or Facebook, but neither of those more popular social networks have validated my Identity as well as Naymz has done, thanks to the Trufina process.

I look forward to seeing how Trufina progresses in the marketplace.  We really need a critical mass of easily accessible, yet secure, Identity validation services to increase the level of trust and confidence in online relationships.

Wednesday Nov 25, 2009

Video: Identity Management - Pathway to Enterprise Agility

After the CIO Frankly Speaking Breakfast event in Toronto on November 17th, Michelle Dennedy and I fielded questions about Identity Management from John Pickett of IT World Canada on camera.  A short video emerging from that interview was published on the IT World Canada website today.

CIOVideo

I couldn’t figure out how to embed the video on this blog post, but clicking on the image will take to you to the IT World Canada website where you can view the video.

Monday Nov 23, 2009

IAM is a Journey, not a Project

In our recent CIO Roundtable tour, a question about Identity and Access Management that emerged in every session was, “where do I go from here?”  It is one thing to talk about the theory of IAM; it is quite another thing to actually implement it in your enterprise.

My advice to the Roundtable participants and to you is this, “IAM is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project.  Take stock of where you are now, set objectives for where you want to be in the future, and execute your strategy in stages.”

To illustrate this process, the white paper I recently wrote, Identity and Access Management: Enabling HIPAA/HITECH Compliance, proposes thirteen best practices for approaching the application of IAM to HIPAA/HITEC compliance efforts.  Recognizing that IAM is a journey, not a project, is one of the best practices.

Think program, not project. HIPAA/HITECH compliance is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.

roadmap

The step-by-step process depicted above doesn’t fit everyone.  It only serves to illustrate the need to for defining your IAM journey as a series of phases subdivided into measureable steps.  Our experience has shown that those enterprises who follow this basic process usually succeed, while those who attempt to do much all at once, or focus on one small tactical project, often fail to realize the benefits of a well-executed IAM strategy.

Happy trails!  (I couldn’t resist that last comment, even though the “happy trails” comment in my previous post dealt with airline travel, not IAM journeys.)

Lax Identity Enforcement with TSA. Really?

I read a disturbing article by Dan Schwab of Fox Chicago News this morning entitled “Probe: ID rules lax at Chicago airports.” Perhaps the fact that I will board my 13th flight segment in two and a half weeks this afternoon fueled my interest in the article, which reported “a Fox Chicago News investigation discovered a major loophole at TSA checkpoints at O’Hare and Midway.”

During the past two months, Fox flew multiple employees – male, female, black, white, and Muslim – to different destinations around the country on different airlines.

The only requirement: They were not allowed to bring a photo ID. No passport. No driver’s license.

On every occasion, these Fox employees were allowed through security without a hitch as long as they showed that the name on their boarding pass matched the name on a couple of credit cards, according to Fox Chicago News.

Credit cards for identification?  What happened to the requirement of a photo ID?  This shows a remarkable lack of TSA compliance with recommended policy:

The federal Sept. 11 Commission’s final report included 10 pages that focused solely on the issue of terrorism and identity fraud. The report states: “Travel documents are as important as weapons. Fraud is no longer just a problem of theft. At many entry points to vulnerable facilities, including gates for boarding aircraft, sources of identification are the last opportunity to ensure that people are who they say they are.” …

By checking credit cards rather than a photo ID, TSA simply was following its own rules, which vaguely state that passengers without an acceptable ID will have to provide “information” to verify their identity, according to Fox Chicago News.

I’m not a big fan of the TSA.  To me, it is at best a huge, bumbling bureaucracy, and at worst, a huge, oppressive police force.  I really don’t feel safer because of them.  However, regardless of my feelings, this is a clear example about how poorly executed identity policy can lead to easily exploited security breaches, even as a false aura of safety is provided for the law-abiding majority, who obediently shed shoes and jackets, empty pockets and briefcases, and subject themselves to humiliating searches while many obvious loopholes remain.

Just one example … next time you go through the TSA screening process, notice how closely (or not) airport employees’ ID badges are examined. 

Happy trails!

PS.  The Dave Granlund cartoon reminds me of the time I brought exercise weights with me on a trip.  My luggage was manually searched every time – on each of four flight segments that week.  I now keep those dastardly weights safely at home with my horribly dangerous one-inch pocket knife.  Bitter?  Nah!

Technorati Tags: , , , ,

Tuesday Nov 17, 2009

Identity and Access Management - Enabling HIPAA/HITECH Compliance

hipaa The white paper I mentioned several days ago, Identity and Access Management – Enabling HIPAA/HITECH Compliance, is now hot off the press and ready for download.  Thanks to all the great people at Sun Microsystems that contributed to this project and made it a reality.  Hopefully, the paper will be beneficial to those who are facing the challenges of how to comply with the increasing regulations surrounding management of healthcare data and information systems.

The paper’s abstract reads:

As healthcare organizations and vendors become more reliant on digital information technology, complying with increasing regulatory requirements presents a range of challenges. This paper explores the requirements that these organizations face, best practices for implementing identity management systems that help ensure compliance, and how Sun’s pragmatic approach to identity management simplifies the technology environment.

The table of contents:

  1. Executive Summary
  2. Healthcare Information Technology Challenges
  3. Health Insurance Portability and Accountability Act (HIPAA)
  4. Health Information Technology for Economic and Clinical Health Act (HITECH)
  5. Impact of HIPAA, HITECH and Related Regulations
  6. The Role of IAM in HIPAA/HITECH Compliance
  7. Sun IAM Product Introduction
  8. Best Practices for the IAM/Compliance Journey
  9. How to Get Started with HIPAA/HITECH and IAM
  10. The Sun IAM Workshop
  11. References

Please let me know if you have any questions or would like to discuss the content in more detail.

Frankly Speaking: Identity Management

It was nice to see a short piece covering the CIO Frankly Speaking Breakfast event in Toronto yesterday, where Michelle Dennedy and I fielded questions about Identity Management and Cloud Computing from John Pickett of IT World Canada.  I particularly liked the statement made by Michelle, “Identities are now being realized as the true assets for the organization.”

Friday Nov 13, 2009

I am (an honorary) Canadiam!

About a month ago, I received an invitation to join a new LinkedIn group, “Canadiam – IAM in Canada,” hosted by Mike Waddingham, whom I had never met in person.  Mike had recently launched a new blog of the same name, and formed the LinkedIn group to complement his blog. Mike asserted:

"Identity and Access Management in Canada is different. American identity issues are complicated by their obsession with national security. British data and privacy laws are decidedly different than ours. Identity and Access Management (IAM) implementations vary greatly from country to country. We need a ‘conversation’ about IAM in Canada. Canadiam is that conversation.”

The call for a Canadian IAM conversation is certainly timely, and I think the blog/group name is great, reminiscent of the legendary Molson Beer commercial, "I am Canadian", which Mike embedded within the maiden post on the Canadiam blog and I include here for your enjoyment.

Back in 2000 when this commercial was first released, I was employed with Oracle and doing quite a bit of work in Canada, so watching it again brought back fond memories of choice experiences I have had with great friends north of the border.

So, I joined Canadiam as an “honorary” Canadian, and enjoyed reading Mike’s posts, including “Canada’s top court enforces license photos,” and “Canadian Identity Assertion.”  Even though I don’t quite fit the qualifications specified in the Canadian Identity Assertion, I am honored to be associated.

Fast forward to yesterday morning.  I had arrived in Vancouver to participate as a panelist in the CIO Magazine / Sun Microsystems breakfast event, “Identity Management - Pathway to Enterprise Agility.”  Before joining my colleagues at the event, I took a moment to post a short message on the Canadiam LinkedIn group that I was in town and would participate in a similar event in Toronto next Tuesday.

We had a great session, moderated by John Pickett, VP & Community Advocate at IT World Canada. Michelle Dennedy and I fielded questions about Identity Management, Privacy, Security and Cloud computing from John and members of the audience.  After the session, a man from the rear of the room, who had offered several insightful comments and excellent questions, came forward to introduce himself.  It was none other than Mike Waddingham himself!  I hadn’t recognized him from his LinkedIn photo and certainly didn’t expect him to be in attendance.  I had assumed he lived in the Toronto area.  But Mike had travelled to Vancouver from his home base in Edmonton to attend the event.

I never cease to be amazed at the surprise personal encounters I have at almost professional gathering I attend, where I meet people in person for the first time after connecting previously on line.  The magic of online interaction, while valuable and delightful in and of itself, always seems to be amplified by face-to-face interaction.

So, Mike and all you Canadiams, thanks for the privilege of being numbered among you as an honorary Canadian.  Thanks for giving me another treasured “social networking moment.” I look forward to participating further in the Canadian IAM discussion.

About

Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.


The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today