Thursday Nov 29, 2012

K-12 and Cloud considerations

Much like every other Public Sector organization, school districts in the US and Canada are under tremendous pressure to deliver consistent and modern services while operating with reduced budgets, IT personnel shortages, and staff attrition.  Electronic/remote learning and the need for immediate access to resources such as grades, calendars, curricula etc. are straining IT environments that were already burdened with meeting privacy requirements imposed by both regulators and parents/students.  One area viewed as a solution to at least some of the challenges is the use of "Cloud" in education.  Although the concept of "Cloud" is nothing new in education with many providers supplying educational material over the web, school districts defer previously-in-house-hosted services to established commercial vendors to accommodate document sharing, app hosting, and even e-mail.  Doing so, however, does not reduce an important risk, that of privacy.  As always, Cloud implementations are viewed in a skeptical manner because of the perceived reduction in sensitive data management and protection thereof, although with a careful approach and the right tooling, the benefits realized by Clouds can expand to security and privacy.  

Oracle's comprehensive approach to data privacy and identity management ensures that the necessary tools are available to support regulations, operational efficiencies and strong security regardless of where the sensitive data is stored - on premise or a Cloud.  Common management tools, role-based access controls, access policy management and engineered systems provided by Oracle can be the foundational pieces on which school districts can build their Cloud implementations without having to worry about security itself. Their biggest challenge, and it is a positive one, is how to best take advantage of Oracle's DB Security and IDM functionality to reduce operational costs while enabling modern applications and data delivery to those who needs access to it. For more information please refer to and

Wednesday Sep 26, 2012

Oracle Solutions supporting ICAM deployments

The ICAM architecture has become the predominant security architecture for government organizations.  A growing number of federal, state, and local organizations are in various stages of using Oracle ICAM solutions.  The relevance of ICAM has clearly extended beyond the Federal ICAM mandates to any government program that must enable standards based interoperability like health exchanges and public safety.  The state government endorsed version of ICAM was just released with the NASCIO SICAM Roadmap.

ICAM solutions require an integrated security architecture.  The major new release in August of Oracle Identity Management 11gR2 focuses on a platform approach to identity management.  This makes it easier for government organizations to acquire and implement a comprehensive ICAM solution, rather than individual products.  The following analysts reports describe the value of the Oracle Solutions:

  • According to The Aberdeen Group:  “Organizations can save up to 48% deploying a platform of  (identity management) solutions when compared to deploying point solutions”
  • IDC Product Flash, July 2012:  “Oracle may have hit the home run grand slam in identity management recently with the announcement of Oracle Identity Management 11g R2."
For additional information on the Oracle ICAM solutions, attend the Webcast on October 10, 2012:  ICAM Framework for Enabling Agile, Service Delivery.

Visit the Oracle Secure Government Resource Center for information on enterprise security solutions that help government safeguard information, resources and networks.

Oracle Open World / Public Sector / Identity Platform

Oracle Open World Registration

For those attending Oracle Open World (Oct. 1st - 3rd, 2012 at the Moscone Center in San Francisco), the following details are recommended:  OOW Focus on Public Sector.

Also, Oracle's foundational Identity and Access Management and Database Security products that support government security ICAM solutions are covered extensively during the event, the following will be available:

The focus is on Oracle's Modern Identity Management Platform.  

  • Integrated Identity Governance
  • Mobile Access Management
  • Complete Access Management
  • Low Risk Upgrades

The options for attendees include 18 sessions for Identity and Access Management, 9 Identity and Access Management demonstration topics at the Identity Management Demo Grounds, and 2 hands on labs, as well as 21 database security sessions.

Oracle Public Sector Reception at OOW:  Join Oracle's Public Sector team on Monday, October 1 for a night of food and sports in a casual setting at Jillian’s, adjacent to Moscone Center on Fourth Street. In addition to meeting the Public Sector team, you can enjoy Monday Night Football on several big screen TVs in a fun sports atmosphere.

  • When: Monday, October 1, 6:30 p.m.–9:30 p.m.
  • Where: Jillian's, 101 Fourth Street, San Francisco 

Wednesday Sep 19, 2012

NASCIO Releases Updated State Identity Credential Access Management (SICAM) Documentation

To date, Oracle's SecureGov discussions around the NASCIO State Identity Credential Access Management (SICAM) Roadmap have addressed different "draft" and "working" versions of the framework.  Today, NASCIO released their first version of the document for download on their "Publications" page.[Read More]

Thursday Aug 16, 2012

Database Security: The Need for a Comprehensive Strategy

The year was 73 AD. During the First Jewish-Roman war, Jewish rebels and their families took refuge on a tall mesa, known as Masada, between the Judean Desert and the Dead Sea Valley.

Months into the siege, Roman forces built an assault ramp to the top of the butte. Once the ramp reached the top, Roman forces easily breached the defenses of Masada, finding all the Jewish inhabitants had committed suicide. The forbidding nature of mesa and some perimeter walls along the edges were all that separated the inhabitants from their attackers. Once that line was breached,there were no further defenses in place to stop the advance of the Roman forces.

What does the first century siege of Masada tell us about data security? Plenty, as it turns out.

Masada provides a good example of the benefit of a defense-in-depth approach to security. Defense-in-depth is an approach to security that provides multiple levels of protection that seeks to delay attacks in order to buy more time in defending against them. It involves multiple layers of security controls, providing redundancy and protection in the event of a single control failing. At each security level, controls and warning mechanisms can be deployed to provide detection and response to a given attack. Masada was clearly lacking a defense-in-depth strategy.

Like Masada, most IT organizations lack an in-depth strategy to secure their data. As many recent, well-publicized data breaches have shown, perimeter (network) security is clearly not enough to preventing data breaches.

IT organizations must deploy a defense-in-depth strategy to fully protect themselves against the multitude of threat vectors facing them today.

An effective, in-depth approach will include perimeter security as the first line of defense against attack, but will also include other controls such as auditing, access control, data encryption, and data masking.

In subsequent blog entries these controls will be discussed in further detail. Together these controls can be employed together to provide a complete defense-in-depth data strategy to ensure your data are fully protected. Learn the lesson that Masada teaches us. Perimeter security, while important, should not be your only line of defense.

Friday Apr 06, 2012

Taking the fear out of a Cloud initiative through the use of security tools

Typical employees, constituents, and business owners  interact with online services at a level where their knowledge of back-end systems is low, and most of the times, there is no interest in knowing the systems' architecture.  Most application administrators, while partially responsible for these systems' upkeep, have very low interactions with them, at least at an operational, platform level.  Of greatest interest to these groups is the consistent, reliable, and manageable operation of the interfaces with which they communicate.  Introducing the "Cloud" topic in any evolving architecture automatically raises the concerns for data and identity security simply because of the perception that when owning the silicon, enterprises are not able to manage its content.  But is this really true?  

In the majority of traditional architectures, data and applications that access it are physically distant from the organization that owns it.  It may reside in a shared data center, or a geographically convenient location that spans large organizations' connectivity capabilities.  In the end, very often, the model of a "traditional" architecture is fairly close to the "new" Cloud architecture.  Most notable difference is that by nature, a Cloud setup uses security as a core function, and not as a necessary add-on. Therefore, following best practices, one can say that data can be safer in the Cloud than in traditional, stove-piped environments where data access is segmented and difficult to audit. The caveat is, of course, what "best practices" consist of, and here is where Oracle's security tools are perfectly suited for the task.  Since Oracle's model is to support very large organizations, it is fundamentally concerned about distributed applications, databases etc and their security, and the related Identity Management Products, or DB Security options reflect that concept.  In the end, consumers of applications and their data are to be served more safely in a controlled Cloud environment, while realizing the many cost savings associated with it. Having very fast resources to serve them (such as the Exa* platform) makes the concept even more attractive. 

Finally, if a Cloud strategy does not seem feasible, consider the pros and cons of a traditional vs. a Cloud architecture.  Using the exact same criteria and business goals/traditions, and with Oracle's technology, you might be hard pressed to justify maintaining the technical status quo on security alone.

For additional information please visit Oracle's Cloud Security page at:

Wednesday Jan 04, 2012

Reducing SPAM on Identity Registration Services

The combination of Oracle's Identity Manager 11g and testing for real-human input (via CAPTCHA-type technology), provides a secure interface for agencies to implement trusted self-service user registration.[Read More]

Thursday Oct 27, 2011

SICAM: Privacy and the Golden Record

Addressing the privacy considerations associated with the use of the "Golden Record" in a SICAM architecture.[Read More]

Saturday Sep 03, 2011

SICAM: SICAM Component Architecture

When I first started contributing State Identity Credential Access Management (SICAM) content last year, I didn’t get too far into the discussion before trying to spell out what the key value props are for organizations heading down that path. Meeting conditional funding requirements, complying with state/federal mandates, eliminating benefits fraud, streamlining process…all those initiatives benefit from SICAM’s single, trusted view of identity. That notion of a “single view of the individual”, that “this Jane Doe is the right Jane Doe, the same Jane Doe as I look from system to system and department to department”, is sometimes referred to as the “Golden Record” for that person. The need for data quality and identity resolution makes Master Data Management (MDM) a necessary component in a SICAM architecture.

Figure:  SICAM Component Architecture

The component architecture is really born more out of policy requirements than technology dependencies. Taking one more look at my comments on Public Sector policy drivers for SICAM, we can see how each of these components works into the mix:

  • MDM provides the aforementioned identity resolution, data quality, and single-view of individuals (in many ways like a primary key/foreign key relationship, only here between systems and identity repositories.)
  • Once we understand our relationship to (or “single view” of) an individual we leverage any number of Credentialing techniques to communicate and assure that relationship in the form of a token or artifact.[i] Depending on the level of trust in any given identity, or required for authentication, different credentials (certificates, smart cards, one time passwords, knowledge based authentication, etc.) can provide different levels of identity assurance that scale to the different security needs and requirements of grant initiatives, compliance mandates, and reporting specifications.
  • Identity and Access Management tools manage and honor those identities and credentials in a manner that allows interoperability across systems and domains without impeding their use in systems of origin.
  • Service Oriented Architecture (SOA) provides the common standards and infrastructure for rapid deployment and consumption of interoperable services across departments, agencies, states, municipalities, etc.
  • One of the primary drivers for adopting a SICAM infrastructure is to enable a collaborative Business Intelligence reporting platform.[ii] SICAM acts as an interoperability layer that allows departments to report on (often regulated and sensitive) data without co-mingling and sharing of raw backend data that would violate compliance mandates and law.[iii]
  • And finally a Portal Interface for presentation.

Typically my writings are on the Identity Management and Security side of the SICAM equation, but over the next couple of posts I’d like to delve into some important discussions around the MDM area of the component architecture. Recently I’ve had several great discussions in the field around the legal, privacy, and security ramifications of the MDM/Identity Resolution piece of SICAM that are worth sharing. With this discussion of SICAM components as background, I’ll delve in next time with some frequent questions and considerations around the care and feeding of the “SICAM Golden Record.”

[i] See NIST’s Special Publication 800-103 for an Ontology of Identity Credentials

[ii] See data sharing and reporting requirements for initiatives like Education’s State Longitudinal Data Systems (SLDS) grants and Health and Human Service’s National Health Information Network (NHIN)

[iii] Again, drawing from SLDS and NHIN, student performance data and personal health information are strictly regulated by the Family Educational Rights and Privacy Act (FERPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH, see also HIPAA) respectively.


Identity and Access Management topics related to Federal, State and Local government agencies


« July 2016