Monday Feb 21, 2011

Register Today for Free Webinar: Oracle Security Online Forum Feb. 24

Oracle and Accenture are holding a new joint event focusing on security. The event will feature great line-up of speakers and sessions that will last from 9:00-1:00pm PT on Thursday, Feb. 24. The event will focus on Security topics that face the enterprise today. The event kicks-off with a keynote presentation detailing emerging security trends and where we think security is headed in the next decade. Please join us for 30 minutes or the entire day.

Key Speakers:

  • Mary Ann Davidson, Oracle’s Chief Security Officer, on industry-leading standards, technologies, and practices that ensure that Oracle products—and your entire system—remain as secure as possible.

  • Jeff Margolies, Partner, Accenture’s Security Practice—on key security trends and solutions to prepare for in 2011 and beyond.

  • Vipin Samar, Vice President of Oracle Database Security solutions—on new approaches to protecting data and database infrastructure against evolving threats.

  • Tom Kyte, Senior Technical Architect and Oracle Database Guru—on how you can safeguard your enterprise application data with Oracle’s Database Security solutions.

  • Nishant Kaushik, Chief Identity Strategist—on how organizations can look to Oracle Identity Management solutions to help them reduce fraud and streamline compliance.

Full List of Sessions: Look here for sessions tab for list

Friday Feb 18, 2011

Cloud Security Grows Up! Gmail & Two Factor Authentication

A great leap forward for security and the cloud.  Google announced last week that they will support two factor authentication within there very popular Gmail application.  I have used Gmail for years and have enjoyed how it has provided innovation within a very important aspect of communication.  However, security has been a secondary consideration within the innovation life-cycle.  They were one of the first to institute security questions but this is not enough these days.  Especially after high-profile people have had email accounts hacked with similar security features (e.g. Sarah Palin).  

So here is the way that it works.  Go to this page on Google's help site and they will walk you through the options.  What is great about the way they have implemented the system is that no matter what your phone situation they have you covered.  So, even those with a simple land-line to the house can benefit from the increased security.  The real question is whether the users will take security seriously enough to take the 5 minutes to configure.

Google has been more committed than most to the importance of security.  I encourage you all to read their philosophy on security.  You can read more about their philosophy here.

Monday Oct 18, 2010

Security Breech at University Leads to Questions About Fraud Prevention

There are several news articles in today's press that remind us all of the damage and cost of not having the right security defenses in place. A study by the National Fraud Authority as reported in The Register claims that the UK loses $4.13B to Identity Fraud each year. According to the report the average theft results in $1530 in benefit to the thief. In these tough economic times, this is a dramatic drain on scarce resources and should underline why business should ensure they have the right fraud prevention and access management strategy in place to protect their customers.

The second article has to do with the recent breech at the University of North Florida had a breech which compromised over 100 thousand identities. Universities continue to struggle with identity security with a number of breeches over the last 5 years which have hit the headlines. The University has unique challenges with the number of students/identities that turn-over year quarter or semester. In some cases this is close to 25% per quarter or year. In addition, the students in some computer labs are inquisitive and experimenting with the latest hacks challenging even the toughest security measures. Ask any Network Admin at a major university about application and network security and you will hear some amazing stories. In some cases, way more exciting than corporate network security. However, this is a side-topic for another blog entry sometime.

The key to ensuring that you have the right level of protection is adding an additional layer of security and Oracle Adaptive Access Manager is a great solution for this purpose. Ensuring you have tools that allow for real-time response to rules you define on access helps prevent unauthorized access to applications and network resources. In addition, you can use features like One-Time Password to layer authentication security on key resources to ensure you combine something you know with something you have to improve security. Here is a quick intro to how Oracle Adaptive Access Manager can help.

Friday Oct 01, 2010

Security: Zeus brought down by Operation Trident Beach

I am finally caught up after a great week last week at Oracle Open World.  And it was just in time to read about this great bit of international crime fighting bringing an end to an international cyber-crime ring using the Zeus Trojan to steal allegedly $70M.  Details are still coming out but according to this article by The Register the crime ring was able to deploy Zeus and key-log individuals bank accounts and then use "money mules" to access the accounts and make withdrawls illegally.  One thing is for sure you have to admire the naming capabilities of the team which came up with "Operation Trident Beach" which shows marketing doesn't have a monopoly on naming talent.  Here is a quick paragraph taken from The Register article (full text here): 

Trident Beach began in May 2009, when FBI agents in Omaha, Nebraska learned of automated clearing house batch payments to 46 separate bank accounts throughout the US. Agents eventually brought in counterparts from the other involved countries. The payments are a hallmark of Zeus scams, in which hackers break into victim bank accounts and then clean them out using the bank's ACH transfer system.

The thieves targeted small- to medium-sized companies, municipalities, churches, and individuals.

 I was talking with Mark Karlstrand, the Product Manager for Oracle Adaptive Access Manager, and he mentioned that the product has two critical features that would have prevented this from happening.  According to Mark:  "The KeyPad virtual authentication device could have prevented the password theft via key-logger. The use of the passwords from Eastern Europe and other behavior anomalies could have been detected by OAAM real-time risk analytics."  As more details come out about the cyber-crime ring and Zeus we will bring you details. 

Friday Sep 10, 2010

IDM at Oracle Open World

Oracle Open World is fast approaching and the time to register is NOW so you don't miss out.  This year the show is going to be a blast.  I have heard rumors about the band that will be performing one night but you know what they say about rumors.  More importantly, the IDM team have a lot of new things to talk about at this years show.  First, we released 11g this summer which included exciting new approaches like Service Oriented Security, better user experience and new features for:

  • Oracle Identity Manager
  • Oracle Access Manager
  • Oracle Adaptive Access Manager
  • Oracle Identity Analytics

If you want a comprehensive list of all the sessions so you can follow along.  Please visit the Focus On Identity Management document located here.  Also, we have five don't miss sessions which you need to attend.  Here are the dates and times.  Or, you can find them on our Facebook page here.

 Date & Time
 Title of Presentation
Mon 11am Oracle Identity Management 11g Overview Moscone South 309
Tue 2pm Simplify IDM with Directory Services –
Moscone South 309
Tues  3:30pm Oracle’s IDM Strategy (for Sun, Oracle Customers Alike)
Moscone South 310
Wed 1pm Building a Strong Foundation for Your Cloud with  IDM
Moscone South 309
Wed 4:45pm Complete Identity & Access Governance with OIA 11g
Moscone South 309
Tues 5pm How Cisco Achieved Large-Scale, Highly Available Access Management Moscone South 310

The last time the Identity Management team was all together a  few photo's were taken and I have included one from that fun event at Burton Catalyst.  Hope you will be able to join us!

Tuesday Aug 17, 2010

Free Webinar Aug. 18: Quick-Start Compliance with Identity Analytics

Identity compliance projects don't have to be hard!  The key to any successful project in IT is delivering value to the business quickly!  It is critical to then leverage those early wins into larger wins for the organization.  When I used to coach I likened this to walking up a staircase.  McKinsey used the analogy to describe the approach successful companies took to manage successful growth. (take a look here)  

Oracle Identity Analytics provides a set of tools that can help organizations take the first step up that staircase to Compliance quickly.  The approach allows organizations to show value quickly and then build upon those early wins to build better security into the organization.  This webcast tomorrow will give insight into how organizations can build in proper segregation of duties, 360 degree review's and proper attestation of roles.  One customer of the product used to print out a conference room of paper and had his compliance auditors and business managers review the roles and access rights to meet compliance.  Imagine if you had the tools to ensure you could make this process easier.  Register today and find out how.

Register Today Here:

Customer Stories: Tackling Compliance Challenges with Oracle Identity Analytics

Date: Wednesday, August 18, 2010
Time: 10:00 am PT / 1:00 pm ET

Featured Speakers:

Naynesh Patel,
Simeio Solutions

Neil Gandhi,
Principal Product Manager,
Oracle Identity Analytics,
Oracle Corporation

Thursday Apr 29, 2010

Register Today for this Webinar! Improve Time-to-Market and Reduce Cost with Oracle Directory Services

In some studies, enterprises are spending up to 60% of their IT budgets on operational costs thus impacting the available budget to spend on innovation. The challenge we all face in the identity and IT departments is how to get the most out of our existing licenses and reduce cost where possible in delivering IT projects. One of the costly areas of projects is getting at identity data when it lives in legacy applications. This is especially true when you look at Federation projects, mergers and acquisitions or in data center consolidation projects.

If you are running a Federation project and have to access identity data in legacy or disparate data sources and feel like you are herding cats then this webcast is for you! Virtual directories provide a critical tool for Federation projects as they allow you to expose identity attributes without changing code in legacy applications. Additionally, you have control over how the data is accessed allowing you to manage sensitive service level agreements which can cause difficult political battles in organizations when discussing access.

If you have worked on a data center consolidation project either driven by a merger, acquisition or as part of a cost control exercise you need to have a full bag of tools.  The tools you bring to the project provide the critical agility needed to meet time-lines but also to minimize impact on business operations.  Virtual Directories allow you the ability to connect to data sources without having to alter the application code.  This reduces resource requirements, increases speed but most importantly maximizes business continuity.   

Register here for this webinar and we will look at ways virtual directories can help you become an identity hero in your organization.

Tuesday Apr 27, 2010

Iron Man, Identity Security and the Cloud

If you are a security expert and you have not been to the new Oracle Iron Man 2 website you have to take a look at the cool demo site listed under "Stark Expo".  The intro has a great security questionnaire on Security in the cloud in an cutting edge interface.  If you read yesterday's blog, and went to the Iron-Clad Cloud: Secure Cloud Computing article in the new Security Newsletter, you were able to get an insight into way's Oracle can help secure the cloud.  You will also do well on the questionnaire at "Stark Expo".

 Go Check it out!

In Iron Man 2, Oracle is a proud sponsor of Stark Expo, a world-class tradeshow that depends on a cloud computing architecture to ensure that all systems are free from overload. And that’s where you come in: by becoming a Master Cloud Operative, you’ll help keep Stark Expo up and running. Complete your training, test your troubleshooting skills, and get certified in the Oracle Pavilion.

Wednesday Nov 18, 2009

Twitter, Facebook Hacks Last Week Good Reminders Of Socialmedia Identity Security--Ugggh not Ugg Boots

Taken from CIO Ugggh....last week we were reminded of how social media platforms are vulnerable to identity security problems. Two colleagues of mine were hacked in the twitter and an add was posted to my facebook account via cross-posting feature in Facebook (I love uggh boots, I just didn't plan on advertising them on my Facebook account.  More about this later).  One of the powerful aspects of social media sites is the extended conversation that users can have with their friends, colleagues and communities that participate.  However, if social media sites don't work more aggressively to thwart security holes in their platforms they will undermine the credibility and trust they have worked hard to gain with the mobile IT generation.  This is not a new problem. 

The twitter hack is not a new one and in the short term can be rectified by changing one's password immediately.  However, with the simplicity of being able to acquire the password there seems to be a problem that the twitter team needs to plug immediately.  I have severely restricted my link clicking activities as a result of these vulnerabilities and tell family members not to click links when possible.  However, this takes the fun out of getting access to content quickly or participating in events that are happening immediately (e.g. conferences, concerts, etc.).  

As for the cross posting via Facebook, first let's talk about what constitutes cross-posting.  Cross-posting is a great feature if used properly.  It is a way for you to post to wider groups of people and this is useful as communities sometimes do not always overlap. Simply put, it is where a bot or user puts a comment in a blog that has been posted to Facebook or other social media site. Because a trust relationship has been established between the post and social media site comments are "retweeted" to the social media site it has been published. 

I have three options to ensure that this does not happen in the future.  One, do not post/share blog entries on Facebook; two, remove the trust relationship from Facebook to my blog; three, review all comments before allowing to be published to my blog. All of them are not good options.   I will probably choose the third because it allows me to still share my blogs with my friends on Facebook but yet maintain some level of control over what is "retweeted" to my friends.  Each of the blogging platforms allows a different level of control and easy access to the social media platforms so investigate and determine which is best for you.

Lastly, here is a quick overview of the top 8 social media hacks as of August, 2009 by Michael Eggebrecht from CIO Zone (thanks for the great picture top left).  He outlines the top 8 social media hacks so far (e.g. Koobface, Twittercut, Best Video, etc.).  If you are not reading Mashable  already then I suggest taking a peruse as they have great coverage of different events and issues associated with this emerging space.

Tuesday Nov 17, 2009

NEW!! DSEE 7 Download, Documentation and Upgrade Guide Available Today

DSEE 7.0 is available for download today here with new documentation here.  The critical document you want to look at is the upgrade and migration guide here.

Directory Server Enterprise Edition 7.0 Boosts Speed and Performance: 

Considered one of the best extranet LDAP Directory Servers in the market today, the latest version of Directory Server Enterprise Edition allows enterprises to accelerate growth in a simplified way, improve performance and lower total cost of ownership. Directory Server Enterprise Edition 7.0 has been optimized to improve performance by more than three times when compared to its predecessor. In addition, this release provides innovations that improve authentication and modification performance by 60 percent, allowing customers to accelerate their applications without changing one line of code. 

What's New with Directory Server EE 7.0

Boosts speed and performance: DSEE 7.0 has been optimized to improve performance of some operations by more than 3x the current version. In addition, this release provides hardware optimization with up to 60% improvement in authentications and modifications. 
Reduces Total Cost of Ownership– Reduce cost by using the only solution in the market that provides customers with a directory server, virtual directory, proxy server, web console and Active Directory synchronization tool-kit under a single license. 
Hassle Free Upgrade – DSEE 7.0 provides a simple upgrade path and provides 5x performance improvement in data import times, thereby reducing migration costs. 

You can see a webinar we did recently on DSEE 7 and Role Manager 5 on why this release is important to your business and how this can help your company meet growth goals and reduce your total cost of ownership.

Friday Nov 13, 2009

Webinar: Identity Management and Healthcare

The  Sun Identity Management team will be giving a webinar next Wednesday to discuss the very important topic of Identity Management and healthcare.  As the healthcare legislation moves through congress the increase of 36M patients on healthcare providers, insurance companies, and patients will be profound.  The cost savings projected by the bills will rely on IT systems to provide increased access to information to drive productivity gains.  As we have seen with recent high profile identity security breeches at hospitals identity security is critical in making sure the right people have access to the appropriate information, that information must be shared with all members of the value chain securely.

Sun's Identity Management Suite provides a powerful package of solutions to help with storing identity information with Directory Server Enterprise Edition;  managing authorization, federation and web services security with OpenSSO; providing provisioning solutions with Identity Manager; and, defining and managing role based access control with Role Manager.

Join this free Webinar to learn how Sun's identity management solutions can help your organization to:

  • Automate management of digital identities for other providers, patients, physicians, clinicians, and payors Provide single sign-on (SSO) and secure federated access to privacy-regulated healthcare information while adhering to strict mandates
  • Enable delegated, self-service password management
  • Comply with the Health Insurance Portability and Accountability Act (HIPAA), internal security policies, and corporate governance policies with complete auditing and reporting capabilities

Sun identity management solutions make it easier for healthcare organizations to manage and share digital information.

Register here.

Topic: Topic: Sun Webinar Series - Identity Management for Healthcare
Date: Wednesday, November 18, 2009
Time: 10:00 am PDT / 1:00 pm EDT / 19.00 CET (check my timezone)
Duration: 1 hour

Sun Product Manager Suresh Sridharan

Friday Nov 06, 2009

Google Dashboard and Identity Security

This week Google launched a new service called Google Dashboard which can be found in the account settings in top right hand corner under "personal settings".  The service is a great idea for a couple of reasons.  One, it served as a reminder (at least to this user) of all the services that I had actually signed-up for from Google over the years.  Which given the pace of their innovation and continuous beta approach and my propensity to try new things in the technology space was quite a few.  The second reason and arguably the most important was that it offered you the link to go and manage your privacy settings from the dashboard to the services you have subscribed.  This is critical and important for those customers and users that are interested in actively managing their identity at Google. Here are the reasons why!

In the world of Web 2.0, Mashups and Federation business's are constantly stitching together different applications to provide value to customer's and consumer's. Organization's need to give user's control of their privacy setting's to allow them to control what information they share when and where on the internet.  Most user's don't mind providing the information or more likely are unaware of what they are sharing. This is why the Google Dashboard feature is a powerful tool for user's to improve their security. The ability to access these privacy setting's existed in each of the services that Google offered. However, as I mentioned above, I had forgotten about all the different services I had signed up for within Google Land. This consolidation in one spot, gave me information, power and most importantly choice in one spot making my ability to make better decisions about how my identity is managed on the internet. 

Facebook has learned this lesson and has done a lot to put the power in user's hands of controlling how applications user their information.  I applaud what they have done to provide not only the tools but the education to users about what that privacy information actually means.  You can join the Facebook Security Fan Page to get updates on different steps they are taking to improve the choices users have to manage their identity data.  Another great step they have taken is also in the user experience they provide users in the pages that manage services and privacy by providing contextual help for users.  Big improvements that contribute to better user decision making.   

Click here and go check out your dashboard.  

Wednesday Nov 04, 2009

Gartner IAM, Nov. 9-11: Identity Management Isn't Hard

Next week, Nov. 9-11, the Identity Management Team travels down to Gartner Identity Access Management conference to showcase two of our latest releases DSEE 7 and Role Manager 5.  Gartner IAM is a great event because it not only gather's together experienced practitioners in the identity management space but has a number of events that are small enough that you can have quality conversations about real problems.  Last year, Verizon presented at this conference on the Directory and OpenSSO implementation that serves 50M users.  The presentation is a great example of the proven expertise that Sun brings to Identity Management and the proven extranet scale our products can support---not a marketing benchmark.


Our team has taken a different approach to this even this year and we are participating in Gartner's Learning Lab's.  Vendors, customer's and identity specialists are encouraged to come-by in a classroom style and learn about specific problem's Sun's product, partner's and customer's are using to solve their identity business problems.  This is crucial today as the cost of failure or doing nothing rises exponentially.  The best way to ensure success is to learn from real-world implementations not marketing based slideware presentations.  This is why we have assembled not just the product teams but partners and real customer's to share their experience in these "learning labs".

The other great thing about Gartner IAM is that there are usually a few different ways to combine great industry expertise and a little fun.  On Tuesday, Nov. 10 at 9:00pm you can meet the Sun Identity team at the Hard Rock Rooftop bar for drinks and conversation.  The first 50 people get a wristband for free drinks.  Identity management isn't hard so come to the Hard Rock to find out how to make it easy! 

Gartner IAM Sun Schedule

Monday, Nov 9th

Learning Lab:

12:40 - 1:05pm “Increase Speed & Performance while reducing TCO with Sun Directory Server Enterprise Edition” Speaker: Nick Wooler, Sr Product Manager – Sun Microsystems

1:05 - 1:30pm “Changing the Rules of the game; Raising the bar with Rule Life-cycle Management and closed-loop remediation” Speaker: Neil Gandhi, Sr Product Manager – Sun Microsystems

1:35 - 2:00pm "IAM Governance, Risk and Compliance -- the future of IAM", Speaker: Sachin Nayyar, President - BrinQa

2:05 - 2:30pm "Enterprise Single Sign On for Sun Identity Management", Speaker: Stephane Fymat, VP of Strategy and Product Management - Passlogix

Sun Booth:

12:30 - 2:30pm Daniel Raskin showcasing OpenSSO

12:30 - 2:30pm Mat Hamlin showcasing Identity Manager

Tuesday, Nov 10th

Learning Lab:

12:10 - 12:35pm “Role based user provisioning; using business roles for identity life-cycle management and identity auditing”, Speaker: Mat Hamlin, Sr Product Manager, Sun Microsystems

12:35 - 1:00pm “Three tough challenges, one powerful solution: OpenSSO for web access management, federation and Web services security”, Speaker: Daniel Raskin, Chief Identity Strategist – Sun Microsystems

1:05 - 1:30pm "Privileged Identity Risk Management: Mitigating the Insider Threat", Speaker: Richard Weeks, VP of Channels and Business Development, Cyber-Ark

1:35 - 2:00pm "The WHO behind the WHAT: Arcot Authentication and Sun OpenSSO Enterprise "  Speaker: R 'Doc' Vaidhyanathan, Chief Product Officer - Arcot

Sun Booth:

12:00 - 2:00pm Nick Wooler, showcasing DSEE

12:00 - 2:00pm Neil Ghandi, showcasing Role Manager

Wednesday Jul 08, 2009

Webinar: Government Identity Management (Register Today)

Identity management in government is a very important topic as it crosses a number of domains.  There are a number of issues as government's across the world pursue e-Government initiatives.  Norway is a great example as they have launched a portal to allow citizens to opt into services that they wish to consume from the government (e.g. postal, doctor, etc.).  The government portal in Norway uses OpenSSO.  This is only one of the ways in which Sun is helping governments further information sharing and reduce the cost of providing citizens and organizations the services they need to be successful.

If you are interested in hearing more about the different way's Sun can help governments help solve Identity Management issues such as the following, please attend the following webinar.

  • Secure control over information access by dynamic and diverse user populations
  • Single sign-on and identity federation for seamless operations across multiple IT environments
  • Automated provisioning and deprovisioning to reduce costs
  • Delegrated and self-service account management to improve the user experience
  • Auditing and reporting to meet internal security and compliance requirements

Event:  Identity Management for Government
Date:   Wednesday, July 15, 2009
Time:   10:00 am PDT / 1:00 pm EDT / 19.00 CET
Reserve Your Seat Today!

Wednesday Dec 10, 2008

Socialnetworking Not Immune as Facebook Is Hit By Koobface

If you are a Facebook user that has received some crazy emails recently from "friends" with enticing subject lines to click on a video or picture should think twice before clicking the link.  The Koobface virus has rared it's ugly head again and for some in the eweek article posted here have had to throw out their PC's because of being infected.  Facebook has been great about identifying scams and exploits and maintains this page for users to get information about their security.  

In the interest of spreading the word and propagating good usage of the internet:

Here are some ways to be smart and aware on Facebook:

  • If a link or message seems weird, don't click on it. This is true of all spam—whether a chain letter, an ad, or a phishing scam. If it seems weird for an old friend to write on your Wall and post a link, that friend may have gotten phished. Let the person know, and don't click on links you don't trust.

  • Be aware of where you enter your password. Just because a page on the Internet looks like Facebook, it doesn't mean it is. Learn to tell the difference between a good link and a bad one.

  • Report any spam or abuse you see on discussion boards and Walls. Those report links are there for a reason. The sooner we find spam, the sooner we can remove it and eliminate spammers from the site.

  • Don't use the same password on Facebook that you use in other places on the web. If you do this, phishers or hackers who gain access to one of your accounts will easily be able to access your others too. You might find yourself locked out of your email and even your bank account.

  • Never share your password with anyone. Don't do it. Facebook will never ask for your password through any form of communication. If someone pretending to be a Facebook employee asks you for it, don't give it out, and report the person immediately.
  • Don't click on links or open attachments in suspicious emails. Fake emails can be very convincing, and hackers can spoof the "From:" address so the email looks like it's from Facebook. If the email looks weird, don't trust it, and delete it from your inbox.

  • Add a security question. If your account ever does get stolen, you might need this to prove your identity to Facebook. If you haven't already done so, you can add a security question from the "Account Settings" page.

Also, if you are interested in avoiding scams during the holiday season here is a helpful site from CNET.  The site can be viewed here.


Sharing 12 years of technology experience as developer, product and program manager, and marketing director. Identity Management, Security, and Product Management issues occupy my mind during the working day. Water Polo keeps me healthy.


« July 2016