X

Recent Posts

Security Link Roundup - January 4, 2016

I'm Mark Wilcox.The Chief Technology Officer for Oracle Consulting- Security in North America and this is my weekly roundup of security stories that interested me.###Database of 191 million U.S. voters exposed on Internet: researcherSo 2016 starts off with another headline of a database breach. In this case 191 million records of US voters. This is ridiculous. And could have been prevented.And a sobering reminder to contact your Oracle represenative and ask them for a database security assessment by Oracle consulting.###Secure Protocol for Mining in Horizontally Scattered Database Using Association RuleData mining is a hot topic - it's essential to marketing, sales and innovation. Because companies have lots of information on hand but until you start mining it, you can't really do anything with it.And often that data is scattered across multiple databases.In this academic paper from the "International Journal on Recent and Innovation Trends in Computing and Communication" the authors describe a new protocol that they claim respects privacy better than other options.On the other hand - Oracle already has lots of security products (for example database firewall, identity governance) that you can implement today to help make sure only the proper people have access to the data.So make sure to call your Oracle represenative and ask for a presentation by Oracle Consulting on how Oracle security can help protect your data mining databases. ###A Guide to Public Cloud Security ToolsCloud computing is happening.And most people are still new to the space.This is a good general article into the differences in security between public and private clouds.Plus has a list of tools to help you with cloud security.And if you are wanting to use cloud to host Oracle software - please call your Oracle represenative and ask them to arrange a meeting with Oracle Consulting Security to talk about how Oracle can help do that securely.###Survey: Cloud Security Still a Concern Heading into 2016Security continues to be the biggest concern when it comes to cloud.While there are challenges - I find securing cloud computing alot simpler than on-premise. Assuming your cloud hosting is with one of the major vendors such as Oracle or Amazon.And if you are wanting to use cloud to host Oracle software - please call your Oracle represenative and ask them to arrange a meeting with Oracle Consulting Security to talk about how Oracle can help do that securely.###40% BUSINESS DO NOT USE " SECURITY ENCRYPTION" FOR STORING DATA IN CLOUD"Holy crap, Marie." I watch a lot of reruns of "Everybody Loves Raymond" and I feel like this story is another rerun.Except unlike Raymond this is a rerun of a bad TV show.Encrypting a database is one of the best ways to secure your data from hackers.So before you start storing data in the cloud, in particular with an Oracle database make sure you have Oracle Consulting do a security assessment for you. That way you can know what potential problems you have before you start storing sensitive production data.###image credit unsplash.

I'm Mark Wilcox. The Chief Technology Officer for Oracle Consulting- Security in North America and this is my weekly roundup of security stories that interested me. ###Database of 191 million U.S....

How To Do Single Sign On (SSO) for Web Services

A recent question on our internal list was"A customer has OAM and wants to do SSO to SOAP Web Services".In this case the customer was using Webcenter Content (the product formerly known as Unified Content Manager UCM). But the scenario applies to any SOAP Web Service. My answer was well received and there isn't anything proprietary here so I thought I would share to make it easier for people to find and for me to refer to later.First - There is no such thing as SSO in web services. There is only identity propagation. Meaning that I log in as Fabrizio into OAM, connect to a Web application protected by OAM.That Web application is a Web Services client and I want to tell the client to tell the Web Services that Fabrizio is using the service.The first step to set this up is to protect the web services via OWSM.The second step is to translate the OAM token into a WS-Security token.There are 3 ways to this second step:1 - If you are writing manual client and don't want any other product involved - use OAM STS2 - Use Oracle Service Bus (which most likely will also use OAM STS but should make this a couple of mouse clicks)3 - Use OAG - which doesn't need to talk to STS. It has a very simple way to convert OAM into WS-Security header.If you're not using OSB already - I would recommend OAG. It's by far the simplest plus you get the additional benefits of OAG. PS - You can use OSB and OAG together in many scenarios - I was only saying to avoid OSB here because the service was already exposed and there was no benefit I could see for having OSB. If you have a reason to have OSB - let me know. I only know OSB at a very high level since my area of focus is security.

A recent question on our internal list was "A customer has OAM and wants to do SSO to SOAP Web Services". In this case the customer was using Webcenter Content (the product formerly known as Unified...

The Difference Between Access Manager 10g and 11g Webgates

A common question we get is what is the difference between Access Manager 10g and Access Manager 11g webgates.My colleague Yagnesh who covers webgates put together a simple list:Here is 11g features:Oracle Universal Installer for platform. Generic for all platformsHost-based cookieIndividual WebGate OAMAuthnCookie_ making it more secureA per agent key, and server key, are used. Agent key is stored in wallet file and Server key is stored in Credential storeOne per-agent secret key shared between 11g WebGate and OAM Server One OAM Server keyOAM 11g supports cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Identity Federation for this situation.Capability to act as a detached credential collectorWebgate Authorization CachingDiagnostic page to tune parametersHas separate install and configuration option. Hence, single install and multiple instance configuration is supported.And 10g:InstallShield and One installer per platformDomain-based cookieObSSOCookie (one for all 10g Webgates)Global shared secret stored in the directory server only (not accessible to WebGate)There is just one global shared secret key per OAM deployment which is used by all the WebGatesOAM 10g provides a proprietary multiple network domain SSO capability that predates Oracle Identity Federation. Complex configuration is required.One Web server configuration supported per WebGate. Need to have multiple WebGates for multiple instances.

A common question we get is what is the difference between Access Manager 10g and Access Manager 11g webgates. My colleague Yagnesh who covers webgates put together a simple list: Here is 11g features: Or...

Announcing Oracle Optimized Solution for Oracle Unified Directory

I'm happy today to be able to share that we released an optimized solution for Oracle Unified Directory. It's one of the first public announcements we can make of several cool & useful things we've been working on. We have more coming from identity & access team. Which reminds me - for my loyal readers here - since December 2011 - besides covering directory - I am also now on the Oracle Access Manager Suite team. My colleague Sylvain post summed it up nicely what it is:Oracle Optimized Solution for Oracle Unified Directory is a complete solution - Software and Harware engineered to work together.It implements Oracle Unified Directory software on Oracle's SPARC T4 servers to provide highly available and extremely high performance directory services for the entire enterprise infrastructure and applications. The solution is architected, optimized, and tested to deliver simplicity, performance, security, and savings in enterprise environments. More details available at http://www.oracle.com/us/solutions/1571310 While that post is short - it is dense with information. So to explain it simpler - within Oracle we have a team (Optimized Solutions) who work with our product teams to show how our customers can get the best performance out of our hardware when running a specific software package. Instead of just giving you a generic tuning guide for our product - we've gone through the tuning steps and tested the configuration(s) for you. Thus besides giving you great performance - it's faster & simpler deployment because you can reduce the time it takes to run a tuning exercise from scratch. Optimized solutions simplifies that exercise because we've already done most (if not all) of the work for you. Click here to learn more about our Optimized Solution for Oracle Unified Directory.

I'm happy today to be able to share that we released an optimized solution for Oracle Unified Directory. It's one of the first public announcements we can make of several cool & useful things...

Oracle Identity Management (OID, OVD, OIF) 11gR1 Patchset 5 (11.1.1.6) Released.

I'm sure you've seen the flood of announcements from the other Fusion Middleware products about the 11.1.1.6 release. We got in on the fun too.You can download it here. And for a fresh install - you can start directly from 11.1.1.6. For the most part this is just a bug fix release for us.But there are a couple of enhancements I would like to share.Oracle Virtual DirectoryThe biggest enhancement I would highlight is that we have dramatically simplified configuring OVD for Enterprise User Security (EUS). EUS has been something that has always worked but required to execute lots of individual steps. We now have this setup as a wizard and OVD's own Local Store Adapter holds most of the meta-data. So less work on the enterprise LDAP and fewer steps. It should mean initial EUS configuration by most people can now be done in less than a day. Directory Integration PlatformDIP has been part of Oracle for over a decade but until 11.1.1.6 it required OID. Now it can be used with DSEE or OUD as its metadata store.This now means that if you want to deploy DSEE or OUD but need to synchronize groups & users from AD - you can do it without needing any type of custom code or bringing in a full provisioning product.

I'm sure you've seen the flood of announcements from the other Fusion Middleware products about the 11.1.1.6 release. We got in on the fun too. You can download it here. And for a fresh install - you...

How To Simplify Your Password Management With Oracle Enterprise Single Sign-On

We're doing another free webcast - this time on Enterprise Single Sign-On.Click here to registerAddressing Your Password Nightmares with an Enterprise Single Sign-On PlatformWebcast Date: Wednesday, October 19, 2011 Webcast Time: US Pacific 10am PDTSTEP 1: Please complete the registration form below, to take part in the Live Oracle Webcast event. Studies estimate that nearly 25 percent of all help desk calls are related to password resets. The modern enterprise IT environment demands a balance between the intense security required to meet a variety of compliance standards and the need for flexibility and ease-of-use on the part of end-users. Enterprise single sign-on (ESSO) can help strike that balance and protect your business. ESSO built into your identity management platform can offer even more. It can reduce risk, enhance user productivity, cut costs, and provide a long-term solution to password management. Join us for this live complimentary Webcast where industry experts from Oracle will discuss:How to slash your password related help desk costs and improve user experience The benefits of ESSO integrated into an identity management platform Best practices for a successful ESSO deploymentYou’ll also have the opportunity to get answers to your most nagging security questions during the live Q&A.

We're doing another free webcast - this time on Enterprise Single Sign-On. Click here to register Addressing Your Password Nightmares with an Enterprise Single Sign-On PlatformWebcast Date: Wednesday,...

How To Query OVD, OID, DSEE Using SQL

One of the perpetual questions in LDAP is "how to query via SQL". I even wrote a post on this 3 years ago. And while it doesn't occur very often anymore - it popped up again this week. So I suspect there might be others. First - to be clear - SQL is very different than LDAP. SQL is simply a standardized query language for querying a relational database. Each database has a different protocol - that's why each database must provide its own database driver even for a standard connection API like JDBC (or ODBC or .NET ADO). Second - if you have access to an Oracle database (even Oracle XE) you can use the DBMS_LDAP PL/SQL API to query an LDAP server. And a very useful trick to perform with that is to create a database view that maps to a DBMS_LDAP call. When you go this route - you can have your PL/SQL expert write one package and then anything that can connect to the view - can use the data without needing to use PL/SQL or LDAP. Third - If you are using Java - you can use the JDBC-LDAP library. JDBC-LDAP is a JDBC driver we wrote almost a decade ago at OctetString. Because there was so little demand for it - we actually released it as open-source and donated to OpenLDAP. And you can get pre-built binaries here. Once you have JDBC-LDAP then you can use it similar to any other JDBC driver. And even do a SQL query - though it has a strong LDAP flavor: ResultSet rs = stmt.executeQuery("SELECT cn, uniquemember FROM subTreeScope;dc=example,dc=com WHERE objectclass=groupofuniquenames"); This says "retrieve the cn and uniquemember attributes from any groupofuniquenames objects under the dc=example,dc=com branch" In LDAP terms - the start of the statement lists which attributes you want (this could be * for all attributes), Scope & searchbase is set on FROM and WHERE clause is the LDAP filter. And here is an example of what the results look like (captured from my output in Netbeans): run: Sort by : null numColumns is 4 uniquemember_0:uid=kvaughan,ou=People,dc=example,dc=com uniquemember_1:uid=rdaugherty,ou=People,dc=example,dc=com uniquemember_2:uid=hmiller,ou=People,dc=example,dc=com cn:Directory Administrators uniquemember_0:uid=scarter,ou=People,dc=example,dc=com uniquemember_1:uid=tmorris,ou=People,dc=example,dc=com uniquemember_2: cn:Accounting Managers uniquemember_0:uid=kvaughan,ou=People,dc=example,dc=com uniquemember_1:uid=cschmith,ou=People,dc=example,dc=com uniquemember_2: cn:HR Managers uniquemember_0:uid=abergin,ou=People,dc=example,dc=com uniquemember_1:uid=jwalker,ou=People,dc=example,dc=com uniquemember_2: cn:QA Managers uniquemember_0:uid=kwinters,ou=People,dc=example,dc=com uniquemember_1:uid=trigden,ou=People,dc=example,dc=com uniquemember_2: cn:PD Managers BUILD SUCCESSFUL (total time: 1 second) Posted via email from Virtual Identity Dialogue

One of the perpetual questions in LDAP is "how to query via SQL". I even wrote a post on this 3 years ago. And while it doesn't occur very often anymore - it popped up again this week. So I suspect...

OID Supports 400,000 (Four Hundred Thousand!!) Operations Per Second on 500 Million User Database. AKA OID Eats Facebook Database For Breakfast

It's funny - in the Internet - we can forget that no matter how popular new technologies are - like Twitter or Facebook that their other less "fashionable" (after a few drinks you might even say "dead" :)) technologies like SMTP, IMAP and of course LDAP that still handle far more social networks than these two systems do. And we've seen this because in the past year - there has been a number of new opportunities around building new extremely large (e.g. larger than 10 million) directory servers. Typically this is because companies are either launching new cloud services or consolidating older user databases into standards-based approaches. This isn't just the usual suspects (e.g. telco) either. Insurance agencies, retailers and others who have large customer bases that need to use a directory service for customer-facing portals, messaging, etc all are looking into these types of solutions. At Oracle both OID and DSEE are strategic options for directory services. We love them both :). But because OID uses the Oracle RDBMS for its storage - when it comes to these extremely large directories it gives customers some unique capabilities that don't exist with any other directory product. In particular: ability to scale to extremely large number of entries without needing to split the entry database into multiple instances (called partitions) can leverage Oracle Exadata database machines And we have put this together into a new whitepaper. In this white paper we showed how we got OID 11g on an Exadata machine containing 500 million entries (e.g. roughly the size of Facebook's 2010 user population) - were able to get it to 400K operations per second. And that was only on a Exadata half-rack. With 10gb Ethernet (as opposed to Infiband). Meaning -  we're not even close to maxing out the performance here. Yet we're easily lapping the field and doing it with less management overhead. Or in other words - if you find you need a new large-scale directory, there really isn't any reason to be looking at any other directory vendor. Because no other vendor gives you two proven options to scale to these numbers. You can either choose to scale horizontally by data partitioning using DSEE leveraging existing commodity hardware  or you can avoid partitioning by utilizing the power of Oracle RDBMS with OID with or without the unique capabilities of Oracle Exadata. Posted via email from Virtual Identity Dialogue

It's funny - in the Internet - we can forget that no matter how popular new technologies are - like Twitter or Facebook that their other less "fashionable" (after a few drinks you might even say...

Lessons From OpenId, Cardspace and Facebook Connect

(c) denise carbonell I think Johannes Ernst summarized pretty well what happened in a broad sense in regards to OpenId, Cardspace and Facebook Connect. However, I'm more interested in the lessons we can take away from this. First  - "Apple Lesson" - If user-centric identity is going to happen it's going to require not only technology but also a strong marketing campaign. I'm calling this the "Apple Lesson" because it's very similar to how Apple iPad saw success vs the tablet market. The iPad is not only a very good technology product but it was backed by a very good marketing plan. I know most people do not want to think about marketing here - but the fact is that nobody could really articulate why user-centric identity mattered in a way that the average person cared about. Second - "Facebook Lesson" - Facebook Connect solves a number of interesting problems that is easy for both consumer and service providers. For a consumer it's simple to log-in without any redirects. And while Facebook isn't perfect on privacy - no other major consumer-focused service on the Internet provides as much control about sharing identity information. From a developer perspective it is very easy to implement the SSO and fetch other identity information (if the user has given permission). This could only happen because a major company just decided to make a singular focus to make it happen. Third - "Developers Lesson" -  Facebook Social Graph API is by far the simplest API for accessing identity information which also is another reason why you're seeing such rapid growth in Facebook enabled Websites. By using a combination of URL and Javascript - the power a single HTML page now gives a developer writing Web applications is simply amazing. For example It doesn't get much simpler than this "http://api.facebook.com/mewilcox" for accessing identity. And while I can't yet share too much publicly about the specifics - the social graph API had a profound impact on me in designing our next generation APIs.  Posted via email from Virtual Identity Dialogue

(c) denise carbonell I think Johannes Ernst summarized pretty well what happened in a broad sense in regards to OpenId, Cardspace and Facebook Connect. However, I'm more interested in the lessons we...

Clarifying OVD-AD EUS Password Question

Got a question from a customer: "We had a question about one of the attributes added by the schema extension: orclCommonAttribute. Is the user’s password hash stored in this attribute when using Kerberos authentication (OVD and AD option)? Is the user’s password hash stored in any other AD attributes? Or does this attribute remain empty?" First a quick explanation about orclCommonAttribute. If you use EUS with username and password authentication, the database fetches the password hash and compares it locally instead of doing a traditional LDAP bind. One of the reasons it does this is because this way the password is never communicated to the database in clear-text. Yes, there are a variety of ways to prevent that (such as encrypted network connection) - but when EUS was first conceived (over a decade ago) - those were not as common as they are today. For most directories - this isn't a problem - they store the passwords in a hashed format that can be retrieved. Except for Microsoft Active Directory. To work-around this problem - OVD-EUS uses a password filter to capture password changes on the domain controller, hashes it and stores it in an extended attribute orclCommonAttribute. If a customer were to choose to deploy EUS with Kerberos instead, there wouldn't be any reason to deploy the password filter and thus the attribute wouldn't be populated. Not only that - the database won't even query the directory for the password since the authentication would happen via Kerberos. Instead EUS is just providing user to schema mapping and more importantly - role to group mapping. Posted via email from Virtual Identity Dialogue

Got a question from a customer: "We had a question about one of the attributes added by the schema extension: orclCommonAttribute. Is the user’s password hash stored in this attribute when...

Can You Use The Shadow Join Adapter With OVD-EUS

This year (Oracle year's start in June) - I'm really trying to dedicate myself to saving keystrokes. As a follow-up to my post on minimizing schema changes in AD when using OVD-EUS - a customer asked if you could use Shadow Join to eliminate schema changes with OVD-EUS. The Shadow Join is a default join-type in OVD that allows OVD to redirect data updates for certain attributes to be sent to OID or ODSEE instead of the enterprise directory. It's different than a traditional join (like simple join) in that a simple join, you are linking existing data sources such as HR database and AD. But with Shadow Join - you have applications that need to extend schema but you don't want to extend the enterprise directory. OVD will then intercept the updates and create a special entry in OID/ODSEE (on demand) to store these extended attributes and link it with the entry in the enterprise directory. Unfortunately with OVD-EUS - you cannot use shadow join to eliminate the schema changes. Shadow Join however, works fine with most (all as far as I know) other Oracle applications that require schema changes on the user record such as Oracle Access Manager 10g. The reason why Shadow Join doesn't work with OVD-EUS is that the user password hash must be stored in the AD user record and we use an extended attribute - orclCommonAttribute for this. If you wanted to store it in another directory - that is possible by using OID-EUS with DIP. This way DIP intercepts the password change and sends it to OID to be stored. Posted via email from Virtual Identity Dialogue

This year (Oracle year's start in June) - I'm really trying to dedicate myself to saving keystrokes. As a follow-up to my post on minimizing schema changes in AD when using OVD-EUS - a customer asked...

Schema Extension Options with OVD-Enterprise User Security and Microsoft Active Directory

A customer asked support recently about how to minimize the schema extensions needed to configure Oracle Database Enterprise User Security with Oracle Virtual Directory. EUS is the database feature that allows you to externalize username, roles and (optionally) passwords from the database to your enterprise directory. I say the password is optional because if you are using Kerberos authentication with the database - authentication happens via Kerberos KDC (either MIT or - more often, Microsoft Active Directory) - leaving EUS to just handle the database schema to LDAP user mapping. Now to talk about the schema extensions and EUS. There is two types of data stored in the directory for EUS when using OVD-EUS with AD. One is the database meta-data containing information about which databases are registered for EUS, the database schema to LDAP user mapping and the database role to LDAP role mapping. The other type is mapping of the LDAP user password.  The password schema extension is needed is that unlike every other LDAP we support for EUS - AD doesn't provide a mechanism to get back a standardized (e.g. MD5, SSHA, SHA1) hash password for a user. So we use a password filter to capture a password change, hash the password and store it in the user entry.  EUS needs the hashed password because it fetches the hash password (over SSL) to compare against the hash password sent from the client (in the database - passwords are never, ever, sent in clear text - which is why the database doesn't just use LDAP bind like other apps such as Weblogic). Many AD administrators don't like to extend the schema. This is because in part - Microsoft doesn't give you any way to back-out a schema change. You can't even manually delete elements.  So we have a configuration option (shown in the diagram here) - that lets you split the data. You can put the meta-data into OID (or technically ODSEE - though that is not yet officially documented, contact me if you wish to do this) and leave only the password hash attribute extension in AD. Thus you only need to add two things to the AD domain controller - one attribute ("orclCommonAttribute") and the password filter. The only way I'm aware of to completely avoid the schema extension if you are using OVD-EUS is if you are using Kerberos authentication - you can configure OVD-EUS without needing to do any AD schema extension and put all of the meta-data into OID/ODSEE. Finally don't forget to sign-up for our upcoming 11gR1 Identity & Access Management webcast on Wed. July 21, 2010. Posted via email from Virtual Identity Dialogue

A customer asked support recently about how to minimize the schema extensions needed to configure Oracle Database Enterprise User Security with Oracle Virtual Directory. EUS is the database feature...

Learn What's New in 11g Oracle Identity Management

Last year we unveiled the initial components of our Fusion Identity Management stack 11g - including Oracle Internet Directory, Oracle Virtual Directory and Oracle Identity Federation. In a couple of weeks (specifically July 21, 2010 at 10:00 AM Pacific/1:00 PM Eastern) we're going to show you the rest of the 11g Identity Management stack via an online webinar. So why is this important? Because in every environment - people are trying to evolve rapidly while still depending upon decades old technology.  Because it seems like every week we're getting new compliance rules - even though you're still fighting to meet the existing ones (that never seem to go away). And because you need to become more agile to get ahead in the game. The solution:  Oracle Identity Management 11g redefines the architectures that secure the modern enterprise, ushering in a new era of agile security, rapid ROI, and sustainable compliance.  Sign up for the webinar here. We're also trying out a couple of unique ways for y'all to participate in the webinar - prior to the webinar: 1 - If you have questions you would like to see answered - you can send them via Twitter by using the hashtag #OracleIDM 2 - You can also use the hashtag #OracleIDM to nominate an Oracle Identity Hero Posted via email from Virtual Identity Dialogue

Last year we unveiled the initial components of our Fusion Identity Management stack 11g - including Oracle Internet Directory, Oracle Virtual Directory and Oracle Identity Federation. In a couple of...

Mark Wilcox Oracle OpenWorld (OOW) Speaking Schedule

I have received my speaking schedule for OOW in September. Which is going to be hear quicker than we realize. Here are the places I'm speaking and a bit about each topic: SESSION SCHEDULE INFORMATION ID#: S317084 Title: Active Directory and Windows Security Integration with Oracle Database Track: Database Date: 21-SEP-10 Time: 14:00 - 15:00 Venue: Moscone South Room: Rm 302 [Mark's Notes] - This is my annual event to co-present with the Oracle Database Windows Team. Most of the presentation is about all of the interesting things you can do with managing users if everything (both clients and DB servers) is running on Windows. I then speak about how you manage that data when you have a mixed environment. It will be a short summary of the detail I will share in Wednesday session. ID#: S316989 Title: Creating a Strong Foundation for IdM with Oracle Directory Services Track: Identity Management Date: 22-SEP-10 Time: 16:45 - 17:45 Venue: Moscone South Room: Rm 310 [Mark's Notes] - This will be an overview of our current product offerings and a glimpse of the future. OOW is one of the very few chances we get to actually talk about roadmap publicly. ID#: S316991 Title: Database User Management with Oracle Directory Services and Active Directory Track: Identity Management Date: 23-SEP-10 Time: 10:30 - 11:30 Venue: Moscone South Room: Rm 310 [Mark's Notes] - I will spend the hour talking about managing Oracle Database Users and Roles with Enterprise User Security. While I'll be focusing on AD  - I'll also touch briefly on DSEE, eDirectory and OID. Posted via email from Virtual Identity Dialogue

I have received my speaking schedule for OOW in September. Which is going to be hear quicker than we realize. Here are the places I'm speaking and a bit about each topic:SESSION SCHEDULE INFORMATION ID#...

Get Smarter Just By Listening

Occasionally my friends ask me what do I listen/read to keep informed. So I thought I would like to post an update. First - there is an entirely new network being launched by Jason Calacanis called "ThisWeekIn". They have weekly shows on variety of topics including Startups, Android, Twitter, Cloud Computing, Venture Capital and now the iPad. If you want to keep ahead (and really get motivated) - I totally recommend listening to at least This Week in Startups. I also find Cloud Computing helpful. I also like listening to the Android show so that I can see how it's progressing. Because while I love my iPhone/iPad - it's  important to keep the competition in the game up to improve everything. I'm also not opposed to switching to Android if something becomes as nice experience - but so far - my take on Android devices are  - 10 years ago, I would have jumped all over them because of their hackability. But now, I'm in a phase, where I just want these devices to work and most of my creation is in non-programming areas - I find the i* experience better. Second - In terms of general entertaining tech news - I'm a big fan of This Week in Tech. Finally - For a non-geek but very informative show - The Kevin Pollack Show on ThisWeekIn network gets my highest rating. It's basically two-hours of in-depth interview with a wide variety of well-known comedian and movie stars. -- Posted via email from Virtual Identity Dialogue

Occasionally my friends ask me what do I listen/read to keep informed. So I thought I would like to post an update. First - there is an entirely new network being launched by Jason Calacanis called "Thi...

My Obligatory IPad Post

I've had my IPad for about a week now. So I thought I'd write some thoughts down based on my initial experiences. Here are my initial take-aways: 1 - Netflix OnDemand - I'm a movie junkie. I'm now more apt to just start a movie as background sound for my workday (I telecommute - so except for the occasional bark from my dog, it's awfully quiet here if I don't have something going). 2 - The Email Client is really nice and I'm as fast or faster typing when I have the wireless keyboard engaged. Even with onscreen keyboard - I'm already close to 75% of desktop speed 3 - The battery life is incredible - I think this is the first case where a mobile device actually under-promised on battery 4 - It totally has killed the notion of using a normal PC for my wife and mother-in-law - neither of which had wanted an iPhone/iPod Touch or really any Apple device until they got to play with my iPad. The concept of - instant on, easy to hold and touch-based navigation has them hooked. Heck, it has me hooked. My ultimate goal is to be able to have it at least replace the need to take my netbook with me on the road. I haven't had a chance to complete my testing on that front yet - between work, my wife traveling (for a change) and now my wife home sick - I haven't had time to just play with it. But so far my only regret - that I haven't already bought two more for everyone else in my family who wants to use mine. Posted via email from Virtual Identity Dialogue

I've had my IPad for about a week now. So I thought I'd write some thoughts down based on my initial experiences. Here are my initial take-aways:1 - Netflix OnDemand - I'm a movie junkie. I'm now more...

Book Review - Enterprise Security For The Executive

I finally got a chance to read through the book Enterprise Security for the Executive by Jennifer Bayuk. It's not a technical book - rather as the title suggests it explains why security is important for the CXO level management and processes for achieving success. For most readers of this blog - there won't be anything new but then, I would argue the book isn't to convince us directly. Rather it does provide stories we can use to make points about security and strategies to help get the point across to management. Because as the book wisely summarizes - Security is about management control. Meaning - what to secure and at what level of security is a management decision. And this is often a tricky situation because there is no such thing as perfect security because people also know threat plus vulnerability does not equal damage. The problem is the "threat + vulnerability != damage" equation is true - it can change quickly.  That's why you need to make sure management understands to do regular (at least annual) reviews of  threats and compliance. You also need  to make sure that your identity management includes technology like Oracle Virtual Directory that can be used to quickly adapt to your changing risk and compliance needs. <a href="

I finally got a chance to read through the book Enterprise Security for the Executive by Jennifer Bayuk. It's not a technical book - rather as the title suggests it explains why security is important...

My Own IPad Thoughts

Jackson Shaw just posted his own thoughts on the upcoming iPad. I thought I would comment on something he wrote and then toss in my own general thoughts. Jackson wrote "Hint, if you aren’t working on a Kindle app for the iPad you’d better be!". To which I would point out - worse case scenario - since the iPad supports existing iPhone apps - the existing Kindle app should work. Same as B&N Nook app and Stanza. Though maybe the better question will be  - will Amazon/B&N upgrade the app to be as slick as what the iBooks app looked like on the demo? Personally I'm not sure if I really want that metaphor but I appreciate the marketing aspect of it. And I'm not completely sure that iPad will kill Kindle or the Nook. After all - the iPod hasn't completely killed the MP3 or mobile phone alternatives either. In particular if a low-price (under $100) emerges because the battery life and easier on the eyes screen is good enough features to justify owning a dedicated eReader if you read lots of books. I know not many people read as voracious as I do - but there are still plenty of people who like to read. But I am pretty sure I'll be buying my own IPad as soon as one comes out - with the goal of it at least being able to be used as my travel PC.   -- Posted via email from Virtual Identity Dialogue

Jackson Shaw just posted his own thoughts on the upcoming iPad. I thought I would comment on something he wrote and then toss in my own general thoughts. Jackson wrote "Hint, if you aren’t working on...

Explaining Master Data Management Integration with Oracle Virtual Directory

I got a couple of questions recently around OVD and Master Data Management (OVD).MDM is an industry standard data solution that provides a single source of truth for customer information. It's particularly useful for large organizations who have customer data in lots of different repositories such as telco or higher education. It's complimentary to a provisioning solution - MDM provides a clean source of truth for a provisioning system. But MDM is not optimized for activities like password management or related account activities. Within Oracle we market our MDM solutions as Oracle Customer Hub. There are two integration points:1 - Authentication for MDM 2 - Use MDM as an OVD Data SourceThe authentication use case is pretty simple - OVD can be used as the LDAP server for the Siebel MDM application. For example if you have 2 LDAP servers containing users who need access Siebel MDM, you can use OVD. The more interesting use case is MDM as an OVD Data Source. For example lets say you want to build a web application that provides different level of features based upon customer status (e.g. basic vs premier customer). This data is managed in MDM and OVD can use this data to create an LDAP group without needing to copy the data into another LDAP store. Thus as soon as the MDM status changes, the access control permissions are changed automatically at the same time. We refer to this capability as Identity Publisher. There are two papers on this subject:Integrating Oracle Virtual Directory with Siebel and Oracle Customer Hub Configuration Instructions for Siebel, Oracle Customer Hub and Oracle Virtual Directory Posted via email from Virtual Identity Dialogue

I got a couple of questions recently around OVD and Master Data Management (OVD). MDM is an industry standard data solution that provides a single source of truth for customer information. It's...

Lessons From The NFL Divisional Weekend

I realized that there were some lessons to be learned about security and identity management from watching the NFL playoffs this past weekend.The lesson in particular is that whenever humans are involved they will not always act as you predict. Players who are better on paper (and Madden) will suddenly disappear on the field. The coach will call a play asking a slow running back to try and run a sweep designed for a faster player. The quarterback will get nerves and panic and forget what color his jersey is. What does this have to do with identity management and of course virtual directories?If you put a system in place to manage identity information like your HR system that people are trained on, has the proper security and backups and audit reports - you should reuse those systems. That way it reduces the chances of the data becoming misused or out of compliance. It also allows you to stretch your dollars because you can reuse the data you already are managing. A virtual directory like Oracle Virtual Directory makes it easier to re-use this data because it can directly access the HR data without needing to copy it into another system. Thus your portals, single sign-on and databases can be deployed faster and more easily without having to worry about if the data is accurate and secure. Posted via email from Virtual Identity Dialogue

I realized that there were some lessons to be learned about security and identity management from watching the NFL playoffs this past weekend. The lesson in particular is that whenever humans are...

2010 - The Year We Make Contact

On New Year's Eve it occurred to me that we had now crossed the years to not one but two of Arthur C. Clarke's sci-fi novels - 2001 and 2010. Of course on one hand we are no where near as advanced in manned space flight as described in those books. But I think there is more than a kernel of truth to the title of the 2010 movie - "The Year We Make Contact." Though I doubt it will be with any alien monolith. Instead 2010 is when globally mobile phones really explode both in terms of smart-phone and the low-end.  Already in 2009 we saw mobile phone subscriptions hit 4 BILLION. There are 7 Billion people on the planet. Which means there is only very few other technologies that have type of reach - we call them fire and the wheel. While I'm constantly amazed at seeing how the lowly mobile phone has helped improve lives of people in particular in the poorer parts of the world, I want to focus a bit more on the smart-phone market. This week there were two major phone related announcements. The first was of course the Google Nexus One. My thought on it is that I agree with one of the TechCrunch op-eds on it - that Google and Apple are tag-teaming the telcos in how we buy our phones. In particular in the next couple of years as new chips emerge that can put multiple radios into a single slim device will make it much easier for handset manufacturers to have one device that can work with multiple providers. I don't think either Google or Apple will knock the other one out. But they could knock some of the other players out. Though with 4 billion consumers in the world - you could probably make a nice business with a very small subset of that even if it meant that nobody in the US has ever heard of you. The second was the launch of AppMakr. AppMakr lets you convert RSS feeds into a branded, dedicated iPhone application for about $200 US. Meaning you can sell it or give it away for free on the Apple iTunes store. With or Without ads. Since I've made a personal goal for 2010 to actually publish my personal fiction - AppMakr really intrigues me. I foresee it as a cheap way to provide a branded delivery mechanism of short-stories/novellas - something not really easily done with other self-publishing mechanisms. I know it's limited to Apple (though that's still a sizable market) but I wouldn't be surprised if it wasn't extended to at least Android and possibly others in the future. There is of course implications to identity in all of this but I don't have anything concrete on that to share at the moment. Posted via email from Virtual Identity Dialogue

On New Year's Eve it occurred to me that we had now crossed the years to not one but two of Arthur C. Clarke's sci-fi novels - 2001 and 2010. Of course on one hand we are no where near as advanced in...

Google ChromeOS First Impressions

One of the comments from an earlier post on Google's ChromeOS had mentioned there was a way to try it out using virtual machines. I finally got a chance to take it for a spin this morning using the image built by the team at GDGT. GDGT is an interesting site itself - basically a new social-type site for people with gadgets. Alright for the nitty gritty. First - I think it is important to put Google ChromeOS into context. Because it's still early and only the uber-geeks are trying it out - the reviews have tended to be viewed by that community with what they want in an OS. Which is not the audience Google ChromeOS is aimed for. That out of the way here is what the user experience was like:1 - You start the machine2 - You are prompted to login with your Google credentials. 3 - You are logged in what seemed like a second. The screen is really just Chrome browser with the home tab set to your Gmail. A second tab is already opened to your Google calendar. You can then browse as normal. In the name of research - I then played a game of Bejewled online which is the latest casual game addiction. Because my wife is closer to the target audience of ChromeOS than I am - this was important. Because if a computer that came out today couldn't play Bejewled - she would not use it. So yes, I played the game in the name of research. Sometimes research requires sacrifices like this. But overall - the OS was a lot more polished than I expected. Of course much of it is built on existing bedrock - Linux, Chrome browser and Google's services. And to be candid - my gut feeling on just playing with it this morning was similar to the feeling I got when I first got a chance to play around with Apple OS X at the first ApacheCon a decade ago. That this - while not completely polished - was going to be a game changer. I'm not going to say that ChromeOS will kill Windows. But just as OSX drove a lot of requirements for Vista/Windows 7 - ChromeOS could do the same thing here. And as Martha Stewart would say "That's a good thing." For example imagine your environment that assumed you were always on a network (not entirely far-fetched) but could gracefully handle when you were not. That instead of assuming all of your documents (whether those were docs, spreadsheets, video, music, etc) were going to be default local - were instead stored online.  You can of course already do much of this today - I for the most part live this. All of my mail exists in the cloud (personal mail in Google, work mail in Oracle Beehive). My project tracking list is managed in Toodledo. My notes for just about everything in Evernote. All of my new work related documents are being stored in Oracle Beehive workspaces. I'm trying (again) to write a novel. This time using Google Docs - primarily so that I can write on it wherever I am without worrying about having the latest chapter with me. But - while this is possible - it does require dedicated work to use. That's why I'm optimistic about the world moving to a natively integrated cloud OS.Identity management will have to play to a key role for this to function. For example - to give you the most flexibility about where your documents are stored you will want an Identity Rights Management product to make sure only authorized people can access the docs. There will have to be numerous behind the scenes federated authentication (whether that federation is SAML or something else like OpenID or OAuth) and of course identity attributes will need to be virtualized because that data could literally be - anywhere.      Posted via email from Virtual Identity Dialogue

One of the comments from an earlier post on Google's ChromeOS had mentioned there was a way to try it out using virtual machines. I finally got a chance to take it for a spin this morning using the ima...

Follow-up on OAuth/UMA/SPML

Clark Sanford gave me some insightful comments on my OAuth/UMA/SPML/Federated Provisioning post.In particular he's trying to promote the use of SAML Attribute Query as the way to provide callback in Federated Provisioning: "In the scenario Nishant describes where the original Assertion doesn't contain all the attributes/claims they want for provisioning, in a SAML implementation why couldn't the SP service initiate the Assertion Query profile to retrieve the desired additional attributes from the IdP service? "I think it's important to keep in mind the real competition isn't between SAML or OAuth or SPML. Rather the real competition is to convince people that they shouldn't be doing manual data entry (and storage) of person/identity data. That it is in fact queryable. That's the big hurdle. Then the second hurdle is actually how to implement this. While SAML Attribute Query would seem to be a preferred choice (standard, most if not all federation products support it) - I think it's still too hard for the average developer to deploy a solution. For example - he is something I would like to see details on:How would a PHP developer write a SAML Attribute Query back to a SAML IDP that worked with any server that supported SAML 2? Posted via email from Virtual Identity Dialogue

Clark Sanford gave me some insightful comments on my OAuth/UMA/SPML/Federated Provisioning post. In particular he's trying to promote the use of SAML Attribute Query as the way to provide callback in...

Thinking on Oauth, UMA and SPML

Nishant just posted a blog asking "Can OAuth do what SPML hasn't?" in particular in regards to "federated provisioning". Just to make sure everyone understands what we are talking about - let's use an example use case where federated provisioning could be required:Acme Medical Tools has entered an agreement with an online CRM provider. The CRM provider supports the use of SAML to authenticate the Acme Medical Tools users. However, for Acme Medical Tools to be able to use this CRM provider they must have a local account in the CRM provider's database. Federated provisioning would allow these accounts to be dynamically created and updated using an agreed upon method. There are basically 2 methods to support federated provisioning:1 - The CRM system could use attributes provided in the SAML assertion from the IDP  2 - The CRM system can request the attributes from the IDP using a separate request I would like to point out that we have customers who have done both scenarios. I even wrote the example being used in our current on-demand demonstration for 11g Identity Management. And in the first case - it is possible that SPML could be used on the SP (the CRM provider) (e.g. the federation server gets the attributes and then calls SPML to create/update the record). But in regards to the where OAuth could possibly be used is in the 2nd scenario. As shown by this diagram: So for example the CRM system would make a "Web Service" (I put in quotes because this could be SOAP or REST, standard (like DSML) or proprietary ) call back to the IDP to fetch the user's attributes. This Web Service would need some type of authentication/authorization to enable it.  And I think the question is whether OAuth could be a solution besides the usual suspects (e.g. username/password, certificates, some other esoteric WS-* security system nobody except the people who wrote the Mayan calendar understands). OAuth does have some distinct advantages:1 - It's very simple to implement - it's more like implementing an application-specific, one-time use password - so small shops with less expertise can implement solutions 2 - It doesn't require certificates (it's almost 2010 and managing/signing certificates is still very difficult3 - Because OAuth tokens have a native time-to-live capability could simplify the process of renewing service agreements  To make the discussion easier to follow here is a simple diagram that shows basic OAuth steps. Nishant correctly points out that OAuth expects an end-user involved. This is because the initial use case OAuth was designed to solve was to eliminate the need for 3rd party services to have your password to access those services. For example if you wanted to create a T-Shirt on CafePress using a photo you had on Flickr - OAuth could be used to access your Flickr account from CafePress without CafePress needing your actual Flickr password. The OAuth token could also have a "time-to-live" attached to it so that for example CafePress could only have access to your Flickr data for 4 hours. He then wonders if IGF policies could be used. It's an interesting idea on the IGF spec and one we'll have to explore further if people do want to use OAuth for these types of scenarios. The other benefit that IGF could offer to this picture besides defining the spec is that policies could be natively known to the client application via the ArisID API. The API is the area of IGF where I have been spending most of my IGF related time lately and hopefully will be able to share more about that soon. The other component that comes to mind is that OAuth services will need to be able to allow individuals to map tokens to user identies besides themselvs. For example the Acme Medical Tools federated business manager authorizes the CRM service to access the Acme Medical Tools People Web Service but wants to insure the OAuth token corresponds to the CRM Service - not the actual business manager.  That is an area where other access management components can play a part - entitlements, access management, secure authentication. This is also potentially related to the new User Managed Access (UMA) initiative in the Kantara Initiative. The goal of UMA is to make it easier for consumers to better manage the data relationships with their vendors. This is not only about privacy but also about enabling new business cases. For example if you are looking to buy a new car - instead of starting the usual searching and maybe asking your friends - you could post a "Personal RFP" that listed your requirements. Federated Provisioning would be needed so the dealerships could get information about you to do their own analysis. UMA would define the protocol around publishing the RFP and how the dealerships could access your data and how you can manage that relationship.  The project was started by Eve Maler and I'm participating as a consulting, non-voting member because as I told Eve - I'm one of a small minority who understands - Identity 2.0, SOA and CRM.  Hopefully I've shed some more light on the subject for people to think about. I would really like to know if your organization has been looking at federated provisioning and/or OAuth.   Posted via email from Virtual Identity Dialogue

Nishant just posted a blog asking "Can OAuth do what SPML hasn't?" in particular in regards to "federated provisioning". Just to make sure everyone understands what we are talking about - let's use an...

Announcing Oracle Identity Management 11.1.1.2

As you may have seen elsewhere Oracle released an update to the Fusion Middleware 11g bits this includes the current 11g IDM products (Oracle Virtual Directory, Oracle Internet Directory and Oracle Identity Federation). The release is named 11.1.1.2 and can be downloaded here. For OID and OIF it's basically a bugfix update for R1. For OVD besides the usual bugfixes - we also added several new features. It's why I've informally nicknamed this release OVD 11g - the Director's Cut. Here are 3 key enhancements in this release:1 - Ability to search both primary and secondary adapters in a split-profile (aka Join adapter). A split-profile is where attributes for a single entry are split between 2 or more sources (for example username, password in Active Directory, jobcode in HR database). Applications can now search on these entries (they have always been able to view or update) as if they were a single source without needing to copy into a single store. The ForkJoin plug-in provides this functionality. 2 - Hide entries from search results based on a filter. Sometimes customers need to hide entries from being returned from an adapter based on some criteria outside of an ACL. For example maybe the need to prevent "classified=Top Secret" or "doNotPublishInAddressBook=true" entries from being returned. While many customers have implemented this behavior before using one of our sample plug-ins (I think it's the first sample I ever wrote) - it's now productized with the  HideByFilter plug-in. 3 - Improved Microsoft compatibility. OVD will now support binds where the DN is not a valid DN (like a username) and can add a memberOf attribute to any person entry using the UPNBind and VirtualMemberOf plug-ins. You can read more about these plug-ins and the additional new features I didn't cover here in the "What's New" section of the documentation. ... Apologies if this ends up being a double-post - still having fun figuring out my new blogging system. Posted via email from Virtual Identity Dialogue

As you may have seen elsewhere Oracle released an update to the Fusion Middleware 11g bits this includes the current 11g IDM products (Oracle Virtual Directory, Oracle Internet Directory and Oracle...

Announcing Oracle Identity Management 11.1.1.2

As you may have seen elsewhere Oracle released an update to the Fusion Middleware 11g bits this includes the current 11g IDM products (Oracle Virtual Directory, Oracle Internet Directory and Oracle Identity Federation). The release is named 11.1.1.2 and can be downloaded here. For OID and OIF it's basically a bugfix update for R1. For OVD besides the usual bugfixes - we also added several new features. It's why I've informally nicknamed this release OVD 11g - the Director's Cut. Here are 3 key enhancements in this release:1 - Ability to search both primary and secondary adapters in a split-profile (aka Join adapter). A split-profile is where attributes for a single entry are split between 2 or more sources (for example username, password in Active Directory, jobcode in HR database). Applications can now search on these entries (they have always been able to view or update) as if they were a single source without needing to copy into a single store. The ForkJoin plug-in provides this functionality. 2 - Hide entries from search results based on a filter. Sometimes customers need to hide entries from being returned from an adapter based on some criteria outside of an ACL. For example maybe the need to prevent "classified=Top Secret" or "doNotPublishInAddressBook=true" entries from being returned. While many customers have implemented this behavior before using one of our sample plug-ins (I think it's the first sample I ever wrote) - it's now productized with the  HideByFilter plug-in. 3 - Improved Microsoft compatibility. OVD will now support binds where the DN is not a valid DN (like a username) and can add a memberOf attribute to any person entry using the UPNBind and VirtualMemberOf plug-ins. You can read more about these plug-ins and the additional new features I didn't cover here in the "What's New" section of the documentation. Posted via email from Virtual Identity Dialogue

As you may have seen elsewhere Oracle released an update to the Fusion Middleware 11g bits this includes the current 11g IDM products (Oracle Virtual Directory, Oracle Internet Directory and Oracle...

Has Facebook Connect Trumped Them All?

I wasn't able to make it to Internet Identity Workshop this week because I would like to know the thoughts on Facebook Connect. It appears that more and more sites are now allowing you to use your Facebook account to authenticate you. The experience in my opinion may make this Facebook's killer app (though my wife's obsession with Cafe World, makes me wish I had paid more attention to Flash development back when it first emerged). The reason is that - I simply clicked on the Facebook icon on the site I was accessing. And because I happened to be logged into Facebook at the time - I I was granted access. If you are not logged in, you are presented with the familiar Facebook login in a screen. And it then connects you - NO REDIRECTS. I fell out of my chair. I didn't think that would be possible. But yet, there it was. And of course the Connect process is potentially prone to phishing attacks but we've been dealing with those for a long time now. So even if you were a bank and wanted to use Facebook Connect -if you combined it with an anti-fraud solution like Oracle Adaptive Access Manager including potential secondary pin (so you would have 2-factor authentication without needing to manage millions of additional passwords) - it's not any less secure than current systems. I'm not sure of the technology behind it. And I know that the bulk of my friends on Facebook - wouldn't care. And if I was running a consumer-facing business that needed authentication for whatever reason - I would strongly consider rolling the dice on just supporting Facebook Connect backed up with traditional local accounts. And tell the other big-guns out there - if you want to play in my space - you have to give me an experience like Facebook Connect. Posted via email from Virtual Identity Dialogue

I wasn't able to make it to Internet Identity Workshop this week because I would like to know the thoughts on Facebook Connect. It appears that more and more sites are now allowing you to use...

Simplifying LDAP Access For .NET Developers

I don't do much .NET development these days but I saw this posted on Planet Identity yesterday so I thought I would pass it along for anyone who reads this but maybe doesn't subscribe to the Planet Identity feed. Zetetic - Zetetic.Ldap - Bringing LDAP + LDIF tools to .NET It's a new general purpose LDAP API for .NET that at least at first glance feels similar to UnboundID's new LDAP API. While it's good to see new development in this space - we are trying to move developer identity development into a simpler API via our upcoming ArisID Beans API. Hopefully I will be able to share more about this API soon but as usual - until it's released, I can't publicly talk about it. However, I can give a slightly more concrete teaser - my goal with ArisID is to make it so that it's like Java Persistence Architecture (JPA) for Identity. Meaning - developers can focus on writing business objects and then just run an IDE extension that creates the proper meta-data (e.g. the CARML file) for it so that an IGF identity provider can provide the data to the client. It's my belief that if a developer can write something like: public class MyCustomer { String customerName; String customerAddress; String customerIdentifier; Boolean isGoodCustomer; } That should be basically all they need to do to really worry about when building identity data into their applications. Until then API like Zetetic.Ldap can help reduce some of the pain at a lower level.

I don't do much .NET development these days but I saw this posted on Planet Identity yesterday so I thought I would pass it along for anyone who reads this but maybe doesn't subscribe to the Planet...

Innovations in Directory Services

Between helping get internal people up to speed on 11g, a really bad cold which may or may not have been the flu, and vacation (which was culminated with me getting to see two of my current favorite bands live on the Mayhem tour) - been a bit behind on getting to respond to some stuff floating around the blogsphere. The strangest one was the implication that we here in the Oracle mothership had not been innovative in regards to virtual directory. Particularly ironic was it came soon after I got publicly acknowledged with an Oracle Innovator Award. And of course we just released 11g. While we have done several updates to OVD functionality over the past several years (including Oracle Database Enterprise User Security and Microsoft Sharepoint integration) I wanted to highlight the new functionality in our 11g release. The primary focus for 11g was to improve manageability and usability as opposed to adding a bunch of new server features. The reason for this is that we believe that we already lead the industry in terms of features. Thus there was not as much pressure in terms of adding missing features for the initial release. The key difference between 10g and 11g is the UI. In 10g, the UI was based on Eclipse. In 11g, we now use a browser-based management console. While Eclipse was nice (I have no reservations on building another tool using Eclipse RCP) but moving to the Web gave us some advantages: By using Oracle ADF UI framework able to leverage the hard-work of this amazing Web-2.0 ready product Simplified the ability to integrate with Enterprise Manager and our additional IDM products (as they release their own 11g versions) for administration Eliminates problems where customers either couldn't install software on their desktops and non-Windows/Linux platforms So now let's take a look at some of the new UI elements. If you're reading this in an RSS reader - make sure to click the link to see the blog in your browser to see the images if they don't show up in your reader. First all Fusion Middleware Components are now integrating with Enterprise Manager. EM provides a standard way of providing monitoring, performance information as well as standard access point to logging and audit information:   The next three shots show different screens with Oracle Directory Services Manager (ODSM). ODSM is used to manage OVD and OID. However, you can still deploy OVD without OID. And you can deploy OID without OVD. First up is the ODSM Home screen. It provides additional status information not currently found in EM - such as adapter status and version information: Next we take a look at the ODSM Data Browser which is often used by administrators to quickly see how the data will appear in OVD. I would like to highlight the fact that we have made this data view, much nicer for common LDAP data. In this example we are looking at a person entry - note that we show the most common data in an easy to read format. And if you have a picture for the entry, it shows up (otherwise we show a default icon). This can make it easier to actually check the data because most other LDAP tools don't really make it easy to see the data - they cloud it with attributes you don't really care about. We still provide access to all attributes, but for the common data you probably care the most about - it's highlighted up front. Finally - all 11g Identity Management will write audit data to a common audit system. By default this is written to a text file. However, it is possible to write this data to a database. And if you write the data to a database, we provide a standard set of Oracle BI Publisher reports.

Between helping get internal people up to speed on 11g, a really bad cold which may or may not have been the flu, and vacation (which was culminated with me getting to see two of my current favorite...

Celebrating the moon

Today is the 40th anniversary of the first manned moon landing by Apollo 11. And here is a link to one of my favorite photos - the launch of the Saturn V sending them on their way. I also have a personal connection to the moon landing. My grandfather actually knew Neil Armstrong's parents and even met Neil several times when Neil was a teenager. Though to be candid - as I told my mom, I'm not sure if you could have picked a more boring person to be the first person on the moon. I really wish Jim Lovell (commander of Apollo 13 and first person to make 2 trips to the moon, though unfortunately never able to land) had been the first because he's much more comfortable doing publicity. That being said - I really wish Obama would come out and have a bold new vision of space exploration. One that encouraged private exploration - basically NASA could act like the FAA for coordination.  Exploration shouldn't be limited by the the winds of politics. Whether it's actually sending more people to the moon (or beyond) or better unmanned platforms (it should be pointed out that we have found much more about the universe including the stunning Hubbel photographs - have been carried out by unmanned missions). I doubt there is much money in space exploration beyond space tourism but then I'm sure the same was said of the early sea explorers. But I want to unshackle the next generation of explorers from the whims of politicians. I want my nieces and nephews who while playing with their Lego-built spaceships think of really flying in space. I want to see Red Bull sponsored moon racing. In short - I want to see what we can do next so that when 2069 roles around -we're not talking about 100 years ago being the last time we set foot on the moon.

Today is the 40th anniversary of the first manned moon landing by Apollo 11. And here is a link to one of my favorite photos - the launch of the Saturn V sending them on their way. I also have a...

Strong Web Passwords Are Not As Helpful As You Think

Saw the abstract of a new security paper via Scheier. In short - strong passwords do not really do a better job of security accounts as you might think. This is because they do not do anything to prevent phishing and related social network attacks (not to mention good ol' sniffing of the network for passwords sent in the clear). And that the 3-strikes rule on most sites is sufficiently good enough security to prevent brute force attacks (I've long argued that most attacks do not go directly against the password database, but through the app and this seems to prove my hypothesis). Another nugget from this abstract: If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords. Oracle Identity and Access Management products can help you implement both passwords as well as increase the strength of identities via Oracle Adaptive Access Manager. With the improved reporting in 11g Fusion Middleware it is also possible to track all password requests from the application they were entered through the directory services layer. Thus customers can be more aware of when password failures occur and why. Thus can help create policies to help improve their security. Because as they used to say on the old G.I. Joe cartoon - "knowledge is half of the battle".

Saw the abstract of a new security paper via Scheier. In short - strong passwords do not really do a better job of security accounts as you might think. This is because they do not do anything to...

URL Shortening Services Are Lemurs of the Web

Jeff Atwood has a rant against URL shortening services. In short - he thinks that the URL shortening services (like TinyURL or Bit.ly) are going to kill the Web because of Twitter and urge to make money off them will destroy hyperlinks as we know them. Except that they won't. Here are my quick thoughts on why this is so: First - while it may seem like everyone is on Twitter  - most are not. Second - The 140 character limit on Twitter will eventually go away. It's only limited to that because of SMS limitation. Saying you will only ever need 140 characters to communicate is akin to the infamous "You will only ever need 256KB of RAM".  Third - The URL shortening functionality will become more pervasive. This is what I mean about URL Shortening services being Lemurs. In the biological tree where you find primates - there are actually two broad types. Apes (Gorillas, humans, monkees) and Lemurs. Lemurs are these cute creatures - primarily found only on Madagascar and are older than other primates. They are most notable for basically being the first animal to have an opposable thumb. But for a variety of reasons, they never further evolved and probably only exist because Madagascar is an island cut-off from the rest of Africa (thus lack of reason to further evolve) but enough food/habitat to continue to thrive as they were. That's how I feel about URL shortening services. URL shortening is the opposable thumb of hyperlinks. And the first URL shortening service (TinyURL) is kind of like the ancestor primate (the ancestor primate is the common ancestor animal that both apes and lemurs evolved from). The other URL shortening services that tried to do more than what TinyURL did are more like lemurs. They were the first to make use of this opposable thumb. But I expect what will happen is that the larger sites will develop their own URL shortening links. This will likely happen because sites want to keep control of their links as much as possible and avoid possible issues with the URL shortening services (e.g. the service disappears, it starts to insert ads for your competition, etc). Oracle has a form of this (occasionally you will see links like oracle.com/goto/db) as does Amazon. The popular Web frameworks will most likely give you a way to generate them as part of their standard function set. But because there will be those who don't want to or can't shorten - you will still have enough to keep a few URL shortening services around to shorten them for you.

Jeff Atwood has a rant against URL shortening services. In short - he thinks that the URL shortening services (like TinyURL or Bit.ly) are going to kill the Web because of Twitter and urge to make...

Understanding Innovation

Last week Marc Canter posted his collection of links for first week of May. However, one item caught my attention: See how this works? TinyURL creates a market, the VCs swarm in and fund up bit.ly and now everyone will have their own URL shorterner. This is how our industry works.  No innovation, just copying the sure thing. I wanted to respond to this  as a way to tie together some thoughts building in my head based on a couple of books I've read/reading recently. The first book is "The Innovator's Dilemma"  -- which covers (based on empirical research) why successful businesses are replaced by upstarts based on variety of factors. His focus was on disk-drive manufacturers - effectively the leaders of a form factor (starting with mainframe drives) were replaced by new leaders when new form-factors emerged because the new form-factors didn't meet requirements to succeed initially but blazed new markets until they could attack the older market. He then points out how this has been repeated in other industries like steel (with mini-mills).  and the second is "Why Evolution is True" -- the title basically says it all :). Here is how I would respond: First - as an investor in any project (and by investor this isn't just the VC, it's the employees as well - even if that's just working a job for a paycheck) - you want to increase your chances to succeed. That's easiest when you have an existing market. Nothing is harder (and more likely to fail) than establishing a new market. Remember Apple didn't invent the personal digital media player market. They just perfected it. Second - just because products are in same basic market does not mean there is not innovation. First a non-tech comparison - coffee. Aka "Starbuck Wars". We all recognize that Starbuck's helped create the market for good-tasting coffee and "coffee drinks". This of course spawned numerous direct copies but also spurred innovation in other areas. This ranges from McDonald's (I occasionally like to indulge in a Bacon & Cheese McGriddle - now I can do so with a pretty good tasting cup of coffee) to local coffee shops that serve areas where Starbuck's won't and even to home coffee. Without Starbuck's - The home Flavia wouldn't exist. And would probably be drinking instant. Instead I get to indulge in a really good tasting coffee that is fresh-brewed, single serve and comes in a number of varieties. This also includes the ability to make "mixed" drinks like cappuccinos. All basically are "coffee" but a wide-variety of innovation within the same market. In the biological world - my favorite example would be dogs. Dogs have the most variety of any single species. A species loosely being defined as biological organisms that can produce fertile offspring. My friend Tracy owns the best examples of this. He has two dogs - one is a miniature chihuahua (weighs < 2 lbs) and the other a golden retriever (weighs > 70 lbs). My own dog is a mini-dacshund which is bigger than the chihuahua (about the only dog he's bigger than) but still much smaller than the retriever. All share a common ancestor (current thought is that the original dog was a wolf in Europe). But each has different traits that were bred to differentiate the breed. For example - dacshunds are short, squat, excellent diggers with loud barks because they were bred to hunt badgers.  So now back to URL shorteners.  An URL-shortener service is a service that allows you to take a long URL (such as an Amazon book link, Google Map URL, practically any Oracle.com URL) and converts it into something that is much shorter. Initially this was done to make it easier to exchange links via email. Now it's practically a requirement if you use Twitter. Let's look at the three examples referenced in Canter's post: TinyURL Bit.ly Amazon (ironically this link is to a blog-post, that is itself hosted by another URL-shortener service...) While they all belong to the same common-market - I would disagree they are all copies of each other. TinyURL is basically just a URL shortener and was the market originator. Bit.ly - allows you to track how many people actually click on your link. Which is useful - even if just for vanity reasons. Amazon - has a long history of adding services that make it easier to use their marketplace. Additionally this helps control their brand without actually restricting the other services. In short - innovation most often occurs within a single market category. And that while from a high-level this may appear to be the same - but there is usually strong differentiations - in particular for the successful.

Last week Marc Canter posted his collection of links for first week of May. However, one item caught my attention: See how this works? TinyURL creates a market, the VCs swarm in and fund up bit.ly and...

BT and Oracle: Managed Fraud Reduction Service

Fellow PM (on the OAM Suite team) Mark Karlstrand has just posted a link of stories about our new service with British Telecom (BT). I think this is important - not only because it involves Oracle products and a partner. Though it does give me a chance to talk about some interesting facts I've learned over the past few days. First - this is important because identity assurance (aka how much do I trust you are you) is vital to do business. Second - this is an excellent use case of how telcos can add value (and thus revenue) based on the things they already do well besides simply selling you the data-pipe. Third - mobile phone adoption is growing at a massive rate - it's being said (I believe I saw it on a Mobile 2.0 presentation) that by end of 2010 - half of the planet will have access to mobile phones Fourth - twice the number of people have mobile phones than who have credit-cards (though I'm pretty sure anyone who has a credit-card has a mobile phone) :). Fifth - in many places (in particular developing world) mobile phone minutes are a form of currency - thus the market for this type of service is practically unlimited (though how you convert minutes into money for your quarterly reports will need to be worked out :)) . Exciting stuff and will be interesting to see how the adoption of the service goes.

Fellow PM (on the OAM Suite team) Mark Karlstrand has just posted a link of stories about our new service with British Telecom (BT). I think this is important - not only because it involves...

Fiction as Analogy of Identity vs Persona

I'm on a bit of a Star Trek kick here on the blog. Though to be clear - I'm pan-sci-fi fan. Meaning I dig Star Trek, Star Wars and Battlestar Galactica (both the original and updated) pretty much equally.   I'm also a big fan of classic NASA. (That's the Saturn V which was used to go to the moon. I cannot describe my thoughts on the Space Shuttle in a family friendly manner - having one explode over your house (Columbia) leaves a sour taste) But the point I wanted to make in this post was about expectations with the new Star Trek movie coming out this week (May 8). And to see how the core fan base will react. The element is that beyond simply the origin story (which is going to both anger and enlighten the core fan base) but can Trek move forward with new actors playing the original characters. This is something Gene Roddenberry always hoped for - after all nobody knows (or cares) who first played Macbeth. And we've had several people play similar mythological characters (from Batman to Superman to James Bond). But for many people the personal of Captain James T. Kirk is personified by the identity of William Shatner. Of course Shatner is still working (though hasn't played Kirk in almost a decade) which keeps him in our public mind's eye. However, he's one of the few actors to be successful in multiple character roles - we may mock him, but it's quite amazing to look at the array of personalities he's played - Kirk, T.J. Hooker, Denny Crane. He's also had a number of smaller hits  - Rescue 911 (the first successful reality show) and Tek Wars (based on a successful series of books he co-wrote). And Priceline.com would not be as successful without him as their pitchman. And I think this does tie into some discussions around identity vs persona on the net. The single identity - William Shatner is known as different personas depending upon context. But unlike the net, TV/Movies help you know what context he's in (Kirk's starfleet uniform is much different than his suit & tie as Denny Crane). That shifting of context and the ability to completely separate them will be a key to future evolution of the net because even in real life we have our "work persona", our "family persona" and our various "friend persona". We need to be able to better separate these contexts to improve the social-aspects of the net. I don't believe there are any magic bullets here - I think it's going to take a deployment of new technologies (like IGF) and updates of laws & social norms (I strongly suspect a rise of the importance of the self over the collective that is the foundation of most notions of privacy will happen). Finally for what it's worth - I'm anxious to see the new Trek. I think they are smart to do an origin movie and a new set of adventures. Hopefully the movie will aim to please an older audience instead of the kids the way Lucas went with the recent Star Wars. I don't need as dark as the new Battlestar but I don't want 9-year olds flying the Enterprise either.

I'm on a bit of a Star Trek kick here on the blog. Though to be clear - I'm pan-sci-fi fan. Meaning I dig Star Trek, Star Wars and Battlestar Galactica (both the original and updated) pretty...

Oracle

Integrated Cloud Applications & Platform Services