Infinite Identities

Giving Authentication the Finger

2010-06-17T12:24:00.000-07:00

Having recently broken the thumb of my dominant hand it has become painfully clear that thumbs/fingers are an intricate part of who we are and something we take everywhere … even when they are a big PAIN.

Why bring it up?

Like many enterprise users, my corporate laptop comes equipped with a fingerprint scanner, and I have linked it to my desktop sign-on.
While the advantages to me were not obvious at first, losing the ability to authenticate this way makes me realize what a substantial usability advantage it is to me daily.
But the security advantages combined with cost savings on provisioning/replacing tokens is much greater.
Leveraging Oracle IdM & BIO-Key bio-metric authentication solutions offers Enterprise better security gives customers an substantially improved user experience.

How Does it Help?

Tokens & Passwords have limitations - Passwords have and token security policies have limitations are either ineffective or become a nightmare for both IT staff and users to manage from productivity and cost perspective.
Give me an Example - The George Washington Medical Center in Washington DC recognized that doctors and staff were becoming increasingly frustrated with having to remember and periodically reset their passwords in order to meet security requirements. So in May of 2007 the IT staff and Allscripts successfully integrated fingerprint identification software from BIO-key International into the Enterprise EHR Solution to protect access to patient medical records.
What was the result? - Privacy of patient records was vastly improved; Doctors quickly and conveniently now access needed information; System security is enhanced.
How does it work? - BIO-key International’s ID Director integrates with Oracle Access Manager to enable user authentication to OAM protected Applications, based on fingerprint biometrics. This provides a more convenient, secure and cost effective alternative to passwords and tokens to establish an individual’s identity.
For more information - click here

What about Identity Theft?

While it seems everyday in spy movies and gag shops, in reality cutting off someone’s finger and using it for authentication is far less likely to impact the Enterprise then tokens left in a taxi/plane.
Comparatively, the rises in traditional and emerging forms of identity theft highlight the current deficiencies of passwords and tokens used to establish user’s identity when accessing your databases and applications.
An article published in January, by the Identity Theft Resource Center states “The meteoric rise in social media use has also created a launch pad for identity thieves.”
The article predicts an increase in ID theft crimes and victims over the next two years unless significant changes are made in information security.
The article goes on to say “Our most important asset is our identity. And we are functioning under a completely antiquated system of identification.”
BIO-key International’s ID Director for Oracle Access Manager Applications, based on fingerprint biometrics, provides a more convenient, secure and cost effective alternative to passwords and tokens to establish an individual’s identity.
For more information- click here

Learn more about Bio-Key ID Director for Oracle Access Manager visit the solution page.

Leaky pipes, call a plumber. Leaky data, call PwC & Oracle

2010-03-12T14:22:00.000-08:00

Enterprises are moving from “Who has access to what?” to “What are they doing with it?”

Data & Identity theft has a potentially enormous financial impact on the enterprise through damage to brand reputation, regulatory penalties, and competitive theft. But protecting against misuse of resources is an increasingly challenging issue in a world of Cloud Applications, globally dispersed teams, and networks open to multiple devices, contractors, and Web 2.0 applications.

"A small leak can sink a great ship." - Benjamin Franklin

Is this really a problem?

Trust me – According to Wikipedia , an Ethical Hacker, or White Hat is “the hero or good guy, especially in computing slang, where it refers to an ethical hacker or penetration tester who focuses on securing and protecting IT systems.” While the concept is reassuring, 90% of test by White Hats succeed in getting sensitive information.
The FTC puts the annual business loss from ID/Data Theft near $50 billion.
Over one-quarter said the incident resulted in brand/reputation damage.
With growing profits, sophisticated techniques, lagging international laws, and the migration from a basement hobby to an organized crime syndicate – this is an area of growing opportunity which is increasingly hard to prosecute.
Identifying and protecting sensitive data requires a deliberate process of understanding your existing risk and “plugging the leaks”.
This is NOT just an IT issue, it is an overall business issue.

Why have we missed this?

Why? - While portable/accessible information is crucial to fast moving collaborative businesses; sharing data can lead to unintended consequences.
What is it? - Sensitive or regulated information including Intellectual Property (“IP”), Personally Identifiable Information (“PII”), trade secrets, sales/customer data, and payment card data are all open to be misused or compromised.
What is the impact? – Beyond the obvious risk of fines and lawsuits, breaches can lead to a long term impact on brand reputation, competitiveness, and financial well-being.

Is this a growing problem?

These thefts are increasingly driven by organized, motivated, and sophisticated groups that are well compensated for their success.
In a down economy with growing layoff’s and fears of unemployment, employee loyalty is the Enterprise equivalent of a unicorn.
Global businesses rely on international collaboration networks, distributing information through a variety of methods—potentially leaving companies more exposed.
IP loss leads to counterfeiting, fraud, and from there loss of revenue with lasting negative effects on brand value and corporate reputation.
Existing IP protection is not designed to detect targeted hacking or electronic espionage activities.
Standards such as Payment Card Industry (“PCI”) or Sarbanes-Oxley (“SARBOX”) create a false sense of security as they are very finite in scope

What did we do before?

• Ignorance is Bliss – Most felt, “This will never happen to us.”

• The Gong Show – Historically attackers were driven by outsiders which were disorganized amateurs working from their parents basements.

• Not my job - “This is an IT issue.”

• Risk Reward Ratio – Previously the impact was neglibilbe compared to the cost of solving the problem

• Unicorns ARE real – “We trust our employees to secure our information.”

• Who Care’s – “We passed our audit, so we’re safe.”

What should we be thinking about now?

• Enterprises, regardless of their size vertical, or location; need to confront a real and growing risk from data and identity theft.

• Data loss is from organized groups, internal employees, and comes from physical loss, data exchanges, fraud, and human error.

• Corporate data losses open the door for employees and customers to experience fraud and personal identity theft.

• Employees and collaboration networks are the most common data leak sources.

• Data protection is not just a C-Level issue, it is a CEO-level concern.

What do I do about it?

Data Security Audit – Understand where your sensitive data is, where your leaks are and what your options are for plugging the leaks with the help of PwC
Data Loss Protection (“DLP”) – Leveraging integrated tools from Oracle partners including McAfee and Symantec ; Enterprises have the tools to look at data on the network or inflight to understand how sensitive it is and allow the enterprise to respond.
Oracle Information Rights Management (“IRM”) - Provides a uniquely efficient response to sensitive data highlighted by DLP products. Oracle IRM allows Enterprises to continue to share sensitive data while protecting it from misuse or theft
Oracle Identity & Access Management (“IAM”) - Extends the standard provisioning of access rights and roles for applications to data and content by working closely with Oracle IRM.

Why PricewaterhouseCoopers (PwC) ?

Founded in 1998 with the merger of Price Waterhouse and Coopers & Lybrand, their client history dates back to the nineteenth century combining a global perspective with a local focus and deep understanding of US national issues.
Originating in London in the mid-1800s, PwC has 16 industry sector concentrations with unique expertise in assurance, tax, human resources, transactions, performance improvement and crisis management help to resolve complex client and stakeholder issues worldwide.
Driving innovation from global financial services and public sector or military to non- profits, and relief agencies their collaborative model to create innovative solutions to today's most complex business issues.

For more information:

· PwC’s “10 Minutes on data and identity theft”

· Contact: Gary Loveland

` Principal, National security practice leader

Tel: +1 (949) 437 5380

Identity & Access Governance hits the Big Time!!!

2010-02-25T15:28:00.001-08:00

Combining Oracle+Sun IdM & GRC

products with cutting edge partners

like Simeio Solutions,

Identity and Access Governance

are center stage in IdM today.

“Whenever the people are well-informed, they can be trusted with their own [governance].” - Thomas Jefferson

Even back in his day Thomas Jefferson noted that good government, like good governance, was ability being informed and more and more these days Enterprises are looking to their IT resources to not only enable business functions but to provide greater visibility into those functions/applications. Through Oracle’s applications and the expertise of partners like Simeio Solutions, Oracle is helping deliver this visibility for Identity and Access Governance.

So, who is Simeio?

Leaders with IAM and Role Management deployments
Reach: Global Customer Base with a presence in NY, LA, Atlanta, Dallas, Canada, Australia, and India Canada (2008), ASPAC (Established in Sydney and Mumbai , 2009), EMEA (2010 Planned, UK Q1)
Focus: Solving critical business needs through IAM, ITGRC and Cloud Computing Fortune 100-1000 as reference-able clients
Biz/Tech Capabilities: Simeio has experienced resources able to deliver IAM and IT-GRC consulting projects based on the following areas Simeio has developed quick-start assessment and rapid deployment models allowing for shortened project delivery timelines using both fixed fee and time and materials based contracts; resources across the company, multiple trained across Oracle’s security portfolio (User Provisioning, Role Management and Compliance)
Services Capabilities: Simeio has a diversified set of services to differentiate from our competition and be seen as a leader in Identity and Access Management and IT-GRC; Simeio meets with industry analysts (Burton, Gartner, Forrester) on a regular basis to keep a pulse on industry trends and ensure our services align with customer needs; Simeio meets with vendor Product Engineering and Management on a monthly basis
Value: Strong team that has a reference-able base of customers for Simeio to discuss Oracle Identity Management; Up-sell Oracle Identity and Access Governance suite to existing and new customers
Strong position in the market with deep understanding on Identity, Role and Compliance Management
Allows for Oracle to have a dedicated team to go into Oracle accounts and discuss and implement these solutions as a replacement to other role management and identity products and continue to expand Oracle’s footprint within the account

Where do they come from?

Enterprise Software Experience: Collective team comes from the Vaau (prior to acquisition by Sun)
Deployment Experience: 90% or more of Sun Role Manage (“SRM”), now Oracle Identity Analytics (“OIA”) deployments done by Simeio
Migration Experience: Provide a deployment /migration path from other Role Management & Identity solutions to Oracle IdM; example Sun Identity Manager (“SIM”) to Oracle Identity Manager (“OIM”)
Competitive Experience: Knowledge and experience has led to key wins against competitors such as Aveksa, SailPoint & CA
Field Experience: Work with field and development around POC’s and beta testing
Product Experience: Simeio Developed SRM 5.0 Documentation and was an integral part of the SRM 5.0 release
Unique IP: Simeio Solutions has Intellectual Property around integrating and fast tracking deployments of SIM/OIM: Packaged 2 step approval workflow built for quick deployment; Package for quick integration between SIM-SRM and OIM-SRM; Packaged custom reports providing immediate business value; Expertise in developing custom connectors for home-grown applications
Unique Approach: Skilled resources out of our center of excellence for custom development; “zero-day” rule based provisioning solution; Quick ROI and value to the business; 7 day manual process reduced to 5 minute automated provisioning

How do they help with IdM Governance?

To borrow a phrase, they have their own dog in this hunt: Simeio Solutions Intellectual Property such as DirectAXs and offer services in the cloud for Provisioning, Single Sign-on and Access Request
Compliance & Role Management: Simeio Solutions Intellectual Property around integrating and fast tracking deployments of SRM; best practices SoD library; plus 160 Business Rules and thousands of technical rules
Well Published: Authored multiple independent white papers published in Role and Compliance Management
Well Respected: Already published in several technology analyst papers
Role Management for the Enterprise (RME) & GRC: Best of breed practices for IT-GRC consulting projects Simeio is currently seen as the leader with the most Sun Role Manager deployments Simeio has developed quick start packages and delivered numerous projects with both Sun and Oracle Identity Solutions Simeio has reference-able deployments to Fortune 100-1000 clients

What exactly do they offer On Demand?

ROMAXs - Role Engineering, Role Management
ICOMAXs - Access Re-Certification, Identity Auditing
GRCAXs - Policy Management, Controls Testing, Risk Assessment
IAMAXs - User Provisioning, Self Service
SSOAXs - Web Single Sign-On, Federation, Web Access Control, and Role Mining/Management

The alternative to flexible infrastructure that allows dynamic access to business resources BUT gives visibility is protection through limiting access:

“The best government is a benevolent tyranny tempered by an occasional assassination.” – Voltaire

While this might have worked for Voltaire most modern Enterprises are looking for IT infrastructure that enables business innovation and growth; Oracle and its partners like Simeio are poised to deliver this.

Identity Management as an Appliance by AegisUSA

2010-01-27T17:49:00.000-08:00

In light of the Oracle/Sun acquisition closing today, AegisUSA existing solution demonstrates the power of Sun/Oracle Identity Management delivered as a hardware appliance.

Who is AegisUSA?

IAM solution provider
Over 60 clients nationwide
Created IAM IP over last 5 years
Built IAM products focused on specific solutions
Market focus
Mid Market
Higher Ed
Healthcare
State and Local Government

What is the challenge with the traditional approach?

Small Identity Customer = $500K Project
$50-150K Software License
$200K PS
$50K Hardware
1000-3000 Employees
3-6 month deployment
Organizations with 1000 users and below may be priced out of both the solution and the suite and therefore may not be good opportunities to prospect

What is the benefit of AegisUSA Appliance?

Small Identity Customer can’t afford $500K
$50-150K Software
$50-75K Solution
30 Day Deployment

What is it?

Appliance Solution
Hardware – 2 Sun Fire x4150 Servers
Sun Identity Management Software Suite
Identity Manager
OpenSSO
Directory Server
Supporting Sun Software
MySQL, Solaris 10, Open MQ, Glassfish
Professional Services to Install, Connect, and Configure
Appliance Support

What are the benefits of the Appliance approach?

Foundation for Further Expansion
Differentiator from other “point” solutions.
Open Architecture
Easy to Understand, Implement, and Support
Requires Minimal Professional Services to Deploy
Solves “Low hanging fruit” identity problems
Provides Quick wins
Increases Visibility for IAM Initiative

IdM includes a broad set of use cases, so where did they start?
Password Management

Account Discovery (3-5 apps – 1 Authoritative)
Change Password
Forgot Password
Change Authentication Questions
Password Policy Configuration
Help Desk Admin
Password Reset
Change Password
User Audit Report
Standard auditing and reporting
Branding

Federated Identity

Infrastructure to join InCommon Federation
Leverage existing AuthN (LDAP)
OpenSSO with Shib SAML Profile
Documentation Package for clients

Single Sign On

Initial Loader and Existing Directory Integration
SSO Object Class Updater
Policy and Rule Configuration
IDM Authentication
Application Authentication and Simple Authorization
Session Persistence
Request SSO Access.

Google Apps Provisioning

Leverage existing ‘directory’
Well defined set of rules for provisioning accounts
Allow for sponsored/guest account creation

This is a great example of how Oracle/Sun Identity Management software can be delivered as a hardware device to increase customer success and reduce implementation cost. We look forward to see further innovations that come from Oracle/Sun + Partners!

Government is going to the clouds...

2010-01-20T17:36:00.000-08:00

“The government's living in its own cloud cuckoo land...” - Bob Brown

For reasons ranging from cost savings to real time collaboration and innovation or job growth; increasingly government agencies around the globe are racing to roll out cloud services. And like most IT departments there are areas of major overlap where various groups are competing for budget and influence.

Like an awards show, below I have highlighted some of the more notable Cloud Initiatives in progress within the Public Sector, starting here in the United States:

My Favorite Cloud (Being a Space Camp graduate): Nasa Nebula

According to Wikipedia "A nebula is an interstellar cloud of dust, hydrogen gas, helium gas and plasma."
The pun-intended pilot program is under development at NASA Ames Research Center and is primarily based on open-source components and provides a virtualized dynamically scalable computing infrastructure .... hence a cloud.
Today it is used for public outreach primarily but theoretically for scientific collaboration and mission support.
As we see with Enterprises, innovation out paces infrastructure and NASA researchers see Nebula as a way to dynamically share discoveries to rapidly iterate on theories to more quickly lead to scientific discovery.
As with any organization with high value IP, data handling, privacy, and access requirements are critical so security is fundamental as well as the need to comply with agency and federal policies such as the Federal Information Security Management Act (FISMA).
Nebula's Infrastructure-as-a-Service leverages Eucalyptus, a cloud management system from UC Santa Barbara that is compatible with Amazon's EC2 web service.
However Nasa assures us that sensitive information is NOT being stored on Nebula

Obama's Favorite Cloud: Apps.gov

Goal - Per the launch announcement, “to lower the cost of government operations while driving innovation within the government.”
Apps.gov is an online storefront for federal agencies to quickly browse and purchase cloud-based IT services, for productivity, collaboration, and efficiency.
Breaking from their historical challenges we saw before 911 leading to the creation of the Department of Homeland Security, where data (+apps) were hosted by individual agencies and on fenced off devices
As the Fed spends north of $75 billion annually on IT, the potential benefit from even minimal optimization is enormous
Additionally, for anyone who has gone through a Fed procurement process, it is painfully clear that glaciers of molasses in January move faster. Enabling a more dynamic model of sharing resources could, theoretically, enable Federal agencies to roll out new services much more quickly saving time, money (on people), and be more effective .. more upside.
Peter Mell of NIST succinctly put it, "2010 will be the year of the cloud computing pilot." I look forward to continuing this exciting conversation with you all!

Most Seafaring Cloud: Navy's CANES Initiative

Why it's cool – Like any cloud initiative, it seeks to make data and applications shared resources accessible by users/apps ... but the Navy makes it accessible by Sea.
The Consolidated Afloat Network Enterprise System (“CANES”), as you might suspect, consolidates hardware/software for centralized access which will deliver a common hosted computing environment for the entire fleet ... freeing up the ships to focus on their day job, protecting us from the bad guys ... sounds like a great idea to me!!!
The Navy is also looking at their own version of a Virtual Private Cloud for the individual boats (ok, they prefer the term vessel) called "grey clouds"

Toughest Cloud: DISA Cloud Initiative

The Defense Information Systems Agency (“DISA”) is currently putting together several Cloud services for the US Department of Defence (“DoD”).
These include Forge.mil, an open source initiative (Thanks for supporting the US software industry) which is a group of SaaS applications that support the DoD IT community.
Started in October 2008, Forge.mil is a DISA-led activity that theoretically delivers operational efficiency, cost savings, and would help protect the operational environment from potentially harmful systems and services
Another example is GIG Content Delivery Services (“GCDS”) which is actually not owned by the Public/Federal Sector , and this computing platform is shared/deployed across the DISN (NIPRnet & SIPRnet).
GCDS is designed to focus on delivering applications/data in a secure and reliable fashion no matter the state (or location) of the network or end points.
Some interesting advantages of GCDS include localized caching anywhere, global redundancy and fail-over, multi-vector scaling, defense in depth protection, edge level data and network control, rapid implementation, and neurologically based network security.

Most Empowered Cloud: US Department of Energy's Magellan

If you can't run with the big dog's stay on the porch - Funded by the American Recovery and Reinvestment Act through the US Department of Energy (DOE), the aim is really to test if cloud computing is all it is cracked up to be or another passing trend (What, CORBA won't change the world?)
The DOE centers at the Argonne Leadership Computing Facility (ALCF) in Illinois and the National Energy Research Scientific Computing Center (NERSC) in California are installing basic but comparable systems as a test bed to assess the effectiveness of cloud computing from the perspective of energy efficiency.
What's in a name? - Viewed as an exploration of the next frontier in IT, Magellan is named (no surprise here) in honor of the Portuguese explorer whose voyage was noted as the first to circumnavigate the globe. Also the “clouds of Magellan”, 2 galaxies were named after him so it gets even more cute.

The Most Pail Cloud: Department of the Interior's NBC Cloud Initiative

The Department of the Interior's National Business Center (“NBC”) is planning a set of cloud services to be offered to the broader community of federal agencies.
Having historically operated as a service provider, NBC (no peacock included) was originally established to be a shared services provider for what those of us in the commericial sector might think of as G&A activities such as accounting, HR, etc.
Starting in 2004, NBC took on the role of being the US government wide service provider under the Information Security Systems Line of Business and in so doing quickly stumbled into the typical issues/requirements of multi-tenancy we see in the commercial space.
Today NBC (still no peacock) is planning to start with 6 cloud solutions: NBCGrid (IaaS), NBCFiles (Cloud Storage), NBCStage (PaaS), NBC Hybrid Cloud, NBCApps (SaaS Marketplace), & NBCAuth.

Around the World

“Behind every cloud is another cloud.” - Judy Garland

James Bond's Favorite Cloud: The UK's G-Cloud Initiative (it even sounds classy)

Announced by Great Britain's Federal CIO, this onshore and private initiative by the government is aimed at delivering a middleware platform for delivering data and applications as shared services in a iTunes.gov.uk like application store.
Initiated with a study/investigation into the effectiveness of Cloud Computing and Virtualization, the apparent success of their test results turned into a full blow IT initiative
As in the US, the goal is to empower UK government agencies to benefit from the costs savings and efficiencies of a shared computing environment while also maintaining the appropriate levels of security, accountability and control required government programs.
Having previously kept such efforts within specialized teams/groups, this is the first effort to bring IT innovation directly under the responsibility of their operating agencies (or for those of use from the private sector think business owners not IT).

The Cloud with the most painful acronym: The EU's RESERVOIR project

While Government agencies are known for their use of acronym's the EU (already an acronym) takes the cake with the Resources and Services Virtualization without Barriers Project (“RESERVOIR”).
As in the US and the UK, the project is designed to provide cost savings, efficiency, and scalability across a shared pool of IT resources and geographies.
With On-Demand resource provisioning and Web 2.0 use of applications as a services and networks as platforms to expedite time to market for new government resources to help the EU compete on the global stage
The EU hopes to leverage RESERVOIR to enhance the competitiveness of their economy and bring about a powerful ICT infrastructure for the reliable and effective delivery of services as utilities.

Most Friendly Cloud: Canada's Cloud Initiative

The inititaive was essentially otlined in a paper from the Canadian Government's CTO of Public Works as a strategy for helping diminish the negative impact of IT on the Environment
It also suggests that leverage the inherent cooling advantages of the geography of Canada make the country an ideal location for hosting world wide cloud initiatives
Looking at this from the perspective of a traveler, Canadians are possibly the most generally likable travelers and hosting high value infrastructure there might make it safer from unintended terrorist attacks.

The Sunniest Cloud: Japan's Kasumigaseki Cloud Initiative

Dubbed the ICT Hatoyama Plan as outlined by the Digital Japan Creation Project, Japan’s Ministry of Internal Affairs and Communications has released plans to deliver a massive cloud computing infrastructure to support all of the government’s IT systems.
Tentatively named Kasumigaseki after Japan's first high rise building (1^st building in the clouds) the plan is to deliver the infrastructure in stages with full role out by 2015.
As seen in other countries the goal is IT efficiency for cost savings and speed of rolling out new solutions and services
Japan’s Ministry of Internal Affairs and Communications (MIC) anticipates that the project will boost the economy

Security’s Baby New Years for 2010

2009-12-31T08:59:00.001-08:00

As the ball drops on the 1st decade of the new millennium…

What will represent the Baby New Year of 2010 for Information Security?

Will our 2010 resolutions mitigate the threats or fall inevitably short?

Wikipedia defines Baby New Year as a “male baby wearing nothing more than a diaper, a top hat and a sash across his torso that shows the year he is representing. Sometimes he is holding an hourglass or is otherwise associated with one”.

Not too ominous at face value but this icon represents the anticipation, excitement, and uncertainty everyone feels in facing a new era. On the eve for 2010, the likely evolutions in Information Security (those foreseen and those yet unimagined) are certain to bring out the same feelings in CSO’s, CISO’s, CIO’s, CEO’s across the public and private sector.

Step 1: Learning from the past attacks

"Among all forms of mistake, prophecy is the most gratuitous.” - George Eliot
What was expected?

Early predictions this decade anticipated that information security would be much better, more efficient, less complicated, with fewer attacks.
Popular thinking was that vulnerabilities would flatten/decline, and so would breaches.
Applications were expected to get simplified, smaller, less interdependent and less extensible
Some even suggest that by 2010, a security Martin Luther would lead us through a class-action lawsuit that sparks a full-blown security reformation.
In 1991, D. James Bidzos, then president of RSA created the buzz phrase “digital Pearl Harbor”; referring to a global InfoSec attack compounded by disrupted backup systems and leading to cascading failures and worldwide panic where the origin is later pinpointed to an avoidable vulnerability.
Viruses and data breaches were seen as mischievous acts of disruptive individuals rather, not criminal enterprises.
PKI was seen as the imminent solution to all authentication problems
Reformers such as SEI’s Watts Humphrey, proposed solutions to software vulnerabilities through formalized software engineering best practices and requiring professional licensing, as within the medical field, to minimize threats by heightening quality and consistency.

“Whoops there it is!” - The Fresh Prince of Bel-Air
What wasn't expect?

Hoaxes - For example, the Baby New Year Hoax of 2007 claimed a Baby New Year Virus had infected up to 42 million computers worldwide.
Complexity - Instead of being simplified applications became more complicated, architectures more sophisticated through SOA, virtualization, SaaS, etc.
Out Sourcing - Rather than becoming a highly regulated, licensed profession software development moved to an out sourcing model where vendors and customers build solutions through composite teams world wide
Abstraction - Information Security moved to an abstraction model with shared/standard components across applications for authentication, authorization, provisioning, roles management, etc.
Protocol flaws- For example, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS that allowed man-in-the-middle attacks.
Security as a Facade – For example, Security2010 offering dummy security cameras and solar powered dummy security cameras
Social Networking – 10 years ago we struggled with AOL IM, Yahoo Webmail, and peer-to-peer networks like Napster and focused on server port 80; but by the end of the decade, the top concerns were Facebook, Twitter, and other Web 2.0 applications.
Worms – Unlike Oscar the Grouch friend Slimey, the 2005 Samy worm on MySpace or Facebook’s Koobface, demonstrated the risks in opening the web to malware contributions from users, innocent or malicious.
Get Shorty - Twitter fans love of mini-URL’s lead to vulnerabilities of their own
Mafiaboy to Organized Crime – The Feb 2000 Denial of Service attack from the Canadian teenage named Mafiaboy temporarily brought down sites including CNN, Dell, eBay, and Yahoo but by the close of the decade attacks were lead by well organized and funded criminals to produce data breaches at Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX and Iraq Shia fighters hijacking the security camera’s in drone airplanes
Gone Phishing – Clever con artists leveraging fast flux to rapidly switch domains locations and sites that felt like known banking sites successfully extracted PII from users trying to log-in, update, or review their accounts.

Step 2: Anticipating future threats

“Never assume the obvious is true.” - William Safire
What can we foresee now?

Jail Bait – Apple’s restrictive policies on “approving” applications and limiting user control of the device has lead to a large & growing sub-culture of “jailbroken” phones. While this gives the user more access it opens the device to vulnerabilities. Conversely security vendors like Symantec, McAfee, Sophos, etc. cannot develop antivirus applications for the iPhone as Apple blocks necessary low-level access to the device.
Rock’m Sock’m Androids - Google's Android is a natural attack for 2010, as Google is more open in allowing applications, but this is open to abuse by seemingly desirable applications functioning as malware.
Hey! You! Get off of my cloud – Cyber-criminals combining stolen credit cards and hosting cloud services like Amazon’s EC2 have already started to use the new platform for Bots-as-a-Service or Malware-as-a-Service. Not to mention the legal liability facing cloud services around protected data from PII to pornography being stored on their servers unbenounced to them.
It’s getting blurry - As public and private organizations extend their use of smartphones, web 2.0, and social media to interact with clients, employees, and contractors, they blur the perimeters of the network. Organizations will need to shift the focus towards data protection beyond network/infrastructure security as the question shifts from “Who has access to what?” to “What are they doing with it?”
MyCloud.gov - Government agencies are increasingly moving data and services of low or moderate risk to cloud services to attain cost savings, such as Nasa’s Nebula http://www.cloudbook.net/nebula-gov or from the Pentagon http://www.networkworld.com/news/2009/100509-pentagon-cloud-computing.html?page=2
Enough is Enough – As with the recent bombing attempt, the continuous evolution towards heightened security at airports and long, uncomfortable security screenings for most passengers will likely lead to biometrics finally making it to prime time. Consumers will be willing to compromise privacy and bear the cost to simplify their life with everything from air travel to eliminating the 100+ passwords they have to remember or keep in a file on their computer or sitting on the desk.

“No question is so difficult to answer as that to which the answer is obvious.” - George Bernard Shaw
What can’t we anticipate?

Greatest Thing Since Sliced Bread – As we have seen throughout the evolution of enterprise software, there seems to be a never ending flow of revolutionary architectures changing how we build products, deploy solution, and conduct business. This includes CORBA, P2P, SOA, SaaS, Virtualization, and Cloud Services just to name a few. As each new platform emerges there will be new vulnerabilities associated with them.
What’s Old is New Again – Appliances keep coming back as vendors like Intel and AMD seek to drive high-use functions into the chip set and organizations look to reduce the cost and risk associated with major deployments through the use of packaged solutions. However each new wave of appliances has its own associated risks.
The Perfect storm – Who knows, perhaps the combination of social networking, smart phones, and cloud services will lead to the “digital Pearl Harbor” that was predicted in 1991

How did we do compared to our predecessors projections, how will we be judged by those who come after us? Only time will tell.

The Next Cloud Security Frontier: DLP for the Cloud

2009-12-16T16:38:00.000-08:00

While there is a growing consensus that security is the keystone to successfully leveraging Cloud Services and Composite Applications, filtering and securing the data being exchanged is a BIG problem facing us ahead.

Viruses and Malware are the STD's of the Internet and Identity Theft is the equivalent of virtual counterfeiting so as with every other issue/requirement that faces user interactions, SOA interactions face the same challenges.

Existing Cloud Security solutions have focused on authentication, entitlements, which is where Identity & Access Management for users started. However the next generation will need to address the “STD's” and Counterfeiting risks as well like Symantec, McAfee, Sophos, and others have done with DLP and desktop security.

Vordel has recognized this emerging requirement and started addressing it with DLP functionality in their recently announced Cloud Service Broker product that will allow customers to analyze content and act on it whether it is flowing into or out of their environment.

There are already legal precedents and implications which, if called into play, could have substantially negative financial and reputation effects on Cloud Service provides like SalesForce.com, Google Apps, and Oracle On-Demand as well as their clients. One example outlined in this article outlines how storage as a service introduces legal implications based on unchecked content within a packet containing personally identifiable information (PII) or other regulated data creates a liability for organizations that receive it.

Network World even references this as part of a likely growth trend for Enterprise Security in 2010

So how do we get ahead of the 8-Ball on this one?

What is the risk?

All content sent to Cloud services must be analyzed for leaked data, in order to enable Data Loss Prevention.
Content-level threats (viruses, malware, PII, MIIA, etc.) need to be identified and blocked, including application-level attacks at the API and payload level.
It is not enough to know “Who has access to what?”; Enterprises need to know, and be able to demonstrate, what they are doing with it? Leaking PII or any regulated data creates a substantial risk to the enterprise.
Receiving PII, ranging from social security numbers or unencrypted credit card accounts to child pornography creates just as much liability as leaking that data.

How should we address it?

Architecture - Look for flexible SOA Security solutions and XML Gateway's that allow for seamless integration with content filtering and protection services.
Don't spread STD's i.e. Viruses/Malware – Leverage proven tools for content inspection connected to active research labs to analyze the content of packets while it is open to minimize risk AND latency.
Stop Counterfeiting i.e. Data Protection – Leverage the content analysis tools found in proven DLP solutions to review, quarantine, delete, protect, or stop information during the same packet inspection.
Protect against Internal Threat with IRM – The same risks that exist with users are shared here for services. Lock it down with IRM to seal sensitive or regulated data before it goes out the door but still allowing business processes and services to function effectively.

As enterprises host and share data via software-as-a-service (SaaS) and Composite Applications with Public/Private Cloud services, they need to \consider the use of DLP, AV, and IRM technologies to protect themselves and the information being exchanged.

7 Secrets of Fraud & Identity Theft

2009-12-10T10:05:00.000-08:00

Between the media attention and ever increasing security & audit requirements, here are some interesting points on what is behind all this.

#1 -- How broad is the impact?

10 million of US Citizens (1 in 10) were victims of ID Theft in 2008 (Javelin Strategy and Research, 2009).
U.S. fraud totaled $31 billion in 2008 (Javelin Strategy and Research, 2009).
Across the world businesses lost $221 billion a year due to identity theft (Aberdeen Group).
Average vicitims lost $851 and $1,378 out-of-pocket trying to resolve identity theft (ITRC Aftermath Study, 2004).

# 2 -- How hard is it to fix?

Almost 20% of victims don't learn that their identity has been stolen for four or more years (Identity Theft Resource Center Aftermath Study, 2004).
50.2 million Americans were using a credit monitoring service as of September 2008 (Javelin Strategy and Research, 2009).
Taking up to almost 6,000 hours (Average 330), the equivalent of the time working 2 full-time jobs for a year, to correct the damage from ID theft (ITRC Aftermath Study, 2004).
25.9 million Americans carry identity theft insurance (as of September 2008, from Javelin Strategy and Research, 2009).
After suffering identity theft, 46% of victims installed antivirus, anti-spyware, or a firewall on their computer. 23% switched their primary bank or credit union, and 22% switched credit card companies (Javelin Strategy and Research, 2009).

# 3 -- What are the Common Sense ways to avoid it?

One of these things doesn't belong – Check your bills, question things that don't make sense and question charges or bills that are missing.
WHY? Thieves may make a charge and reverse it just to test that the number is valid before stealing it. Also if you did not get the bill, it might be going to someone else that hijacked your account.
Don't call us... - Never give out identity data to someone who called or emailed you, if your bank or credit provider needs info contact them on a known-good phone number or website
WHY? Odds are they wouldn't ask if they knew, many thieves go on phising trips over the phone, web, or email often telling you they are from your bank and “here to help”.
Pick up the phone – Frequently service providers will request that you write down and mail your credit card information, give it to them by phone instead.
WHY? How hard is it for someone in the mail room to copy them.
Somebody is watching you – They put those mirrors on ATM machines for a reason, watch out for someone looking over your shoulder in the real world or online.
WHY? Ever take a Quiz on Facebook like “Which cat would I be? These can be loaded with questions that are also used as your secret questions to retrieve passwords with banks, credit cards, etc. Take a quiz, get your id hijacked.

#4 -- How are we getting attacked?

Stolen wallets and physical paperwork accounts for almost half (43%) of all identity theft (Javelin Strategy and Research, 2009).
Web/email attacks account for only 11% (Javelin Strategy and Research, 2009).
Credit/Debit cards were stolen from 38% of victims (Javelin Strategy and Research, 2009).
Social Security number were stolen from 37% (Javelin Strategy and Research, 2009).
Name and phone for 36% (Javelin Strategy and Research, 2009).
Financial account for 24% (Javelin Strategy and Research, 2009).
35 million+ records were compromised in corporate breaches in 2008 (ITRC).
Racking up your phone bill with long distance calls, and not let you know until it's too late.
Getting a replacement for your credit card just by making a phone call
Starting a new life under a dead person's identity.
Sell your home, or take out a mortgage against it, without your knowledge.
Use up electricity and leave you with the bill.

# 5 -- Does Ice make it feel better?
Freezing your credit report won't always stop many ways of committing

# 6 -- Is there a Conference for this?

Starting on the 19th of January 2010, will be the 12th annual IIR Fraud World conference
Opening & Chairing the event will be Oracle's own Des Powley; Technology Director, Security & Identity for Oracle UK, Ireland, & Israel
Des will also be delivering a session on “The Importance of Delivering Enhanced Identity Management, Fraud Detection & Risk Management”

#7 -- Can you watch the movie instead?

The 2008 documentary "HACKERS ARE PEOPLE TOO" takes an honest look at the subculture and it original origin and the hijacking of the term “hacker”.
The more theatrical version directed by Iain Softley from 1995 “Hackers” is also enjoyable.

Are Enterprises ready for Identity Management as a Service (IMaaS) ?

2009-12-08T14:01:00.000-08:00

While solutions are available and the economics of the solution are desirable it is still early days.

Is the technology available?

Recently Simeio Solutions launched their new version of DirectAXs software-as-a-service (SaaS) suite.
In 2007, Oracle & Wipro announced Managed Identity Service
If you do a Google search there is a seemingly endless list of options including startups looking to change the game such as “Symplified”

So why is it desirable?

Pricing/Packaging - Pay-as-you-go or subscription pricing allows organizations to measure the direct ROI on an quarterly basis plus delivers lower upfront costs and assured service levels
Deployment - Historically IAM implementations have been labor-intensive and create organizational headaches with change control and process engineering which can be costly.
Integration - Disjointed products from multiple vendors, suites, or coming into an Enterprise through various acquisitions create incompatibilities but can be challenging to unwire/replace or merge.
Governance - Provides an immediate/direct combination of identity and access management (IAM) with governance, risk and compliance (GRC) capabilities
Hosting - Solutions can be fully hosted and remotely managed or on premise and managed externally managed
Administration – Provides a centralized/unified management of IAM and GRC capabilities for a streamlined user experience with integrated reporting

So what is the problem?

Multi-tenancy – Existing solutions/architectures require enhanced features for multiple customers to access the same console, provide for data partitioning, and filtering to prevent unauthorized data access.
Converging Suites - As Identity Management becomes increasingly application centric the drive is towards suites that weave IAM into the fabric of the application framework as Oracle and SAP are moving towards
Security Concerns - Heightened compliance and security regulations make identity and access management a critical component of today's enterprise, too sensitive to manage externally
1-Cloud-to-many-Applications - Enterprise deployments require 20-100 applications to be individually integrated into the IAM suite, connecting user provisioning, single sign on, role management and compliance to the single point of the cloud, across the web with each application creates throttling, latency, and SLA-priority challenges and diminishes the performance of the underlying applications and users.

The march towards dynamic, composite applications architectures is definite but the rate is uncertain and the challenges and risks for the early adopters are high.

Is Novell changing the game with Virtualization Security?

2009-12-07T10:27:00.000-08:00

In an intriguing Network World Article today, “Novell grabs for big role in virtualization security”, Ellen Messmer previews Novell's plans to capture a big piece of the Virtualization “hype” by building on their established leadership in Identity Management, Linux, and Network Management.

But can they pull it off? I doubt it and here is why:

Identity and Access Management

As arguably the inventor of modern Application User Provision with DirXML, a key tenant of Novell's strategy is leveraging their IAM leadership and hardwiring the technology into the VM Management and virtual appliance deployment.
Having been closely involved in the early adoption of IAM technologies like SiteMinder at Netegrity and Entitlements at BEA, and User Provisioning at Oracle it is very clear that IAM technologies are highly sticky.
Even when customers want to migrate solutions it is often too expensive, painful, or risky to do so. Therefore convincing non-Novell customers to move to their IAM suite will be challenging.

Building Virtual Appliances

The initial product targeted for release is called “Workshop” to build/deploy workloads for Linux or Windows environments.
However there has been an industry building these “micro kernels” for several years now, including much more comprehensive solutions for patch updates, live monitoring, etc. from players like rPath
Even within the realm of SUSE Linux there is an existing solution “SUSE Studio”, called a quick/easy appliance builder

Change Management

Novell's strategy also includes solutions PlateSpin "Bluestar" for to address requirements for physical server change and configuration management across platforms with monitoring
However between CA, HP, and even BMC, there are well established solutions with large footprints and existing innovation on Virtualization

Market Share:

While Zen VM has broad appeal and adoption, VMware continues to enjoy significant marketshare, tight relationships with Intel & Cisco.
Additionally Microsoft and Oracle's position's within the Enterprise give them technical and sales advantages in addressing this market against Novell

I have great respect for Novell and their role as an innovator across the industry and across decades can not be over stated, however they have substantial barriers here.

BeyondTrust Suite for Privileged Password Management

2009-12-04T08:48:00.000-08:00

You need to have strong security for privileged accounts too?

While good security practices dictate complex password rules that change frequently to protect the users, their accounts, and systems; we have collectively ignored the issue for our most sensitive accounts. Worse, since these accounts are frequently shared we have no forensics on who is doing what.

Why was this ignored?

Databases, operating systems, ERP applications, etc. all have privileged or administrative accounts for “power users”.
But these “Power Users” frequently are a group, sharing the accounts and dealing with changing responsibilities, projects, roles, locations, etc.
Also these accounts are frequently needed for applications and they get hard coded into the application or its configuration and change management or industry certification requirements make it nearly impossible to update them.

So how do you address it?

BeyondTrust PowerKeeper provides Automatic Password Management (APM) to any operating system, database or device via SSH/Telnet
The solution addresses entitlements of users sharing the account with Automatic Authentication and Authorization (AAA)
PowerKeeper is offered as a hardened physical appliance or as a secure virtual appliance
PowerKeeper users and permissions from the enterprise’s LDAP or active Directory (AD) through group membership
Automatically discovers and brings under management any computers found within Active Directory
The solution prevents any direct access to the operating system and has FIPS-140-2 validated components for all encryption
Includes support for single/two-factor authentication using LDAP, AD, Secure ID, and Safeword
And detailed logging and reporting to directly address compliance requirements related to User/Approver/Requestor activities, Password maintenance activities, User and file entitlement (Rights), Internal diagnostics

Here is a visual to give you the idea:

To learn more check out:
www.beyondtrust.com

Forrester & PwC show where Information Security is going

2009-11-13T15:02:00.000-08:00

Compelling reasons for focusing on Enterprise Security from independent analysts Forrester & PricewaterhouseCoopers

As illustrated recently in the CIO magazine article “Why Security Matters Now” By Bill Brenner, PwC's CIO Survey illustrates that while IT departments, CFO's, and CEO's are looking carefully for any opportunity to cut costs, they are still reluctant to slow spending increases in Information Security.

So why can't they curb spending growth on IT Security?

With the explosive growth in adoption of Social Networking sites/tools and Cloud Computing Services there is an ever growing threat for security risk and data security leak.

While these are the most compelling, innovative, and revenue driving technologies … they cause the biggest heart burn. Twitter, Facebook and LinkedIn drive collaboration, help organizations connect with customers, partners, etc. … But they also simplify fraud, data & identity theft, or just make it easier to make mistakes.

While leveraging virtualization & cloud services allows organizations to cut costs and simplify their physical IT infrastructure, it also opens up the pandora's box of new security and management issues. Driving your infrastructure towards the cloud has left you vulnerable to attacks and professional hackers have redoubled their endeavors to use these weaknesses against the big names like Google, Yahoo, etc. but also their enterprise customers.

So where is the good news?

Despite the arguably worst economic down turn in decades, organizations are spending more on in-house security solutions. Security budgets are holding steady, and more organizations are employing a chief security officer (CSO) and/or chief information security officer (CISO).

PwC's 7^th annual survey including input from nearly 7,300 executives worldwide across industried including financial services, health care, retail, government, and so on. The result was a clear indication that organizations are investing in data protection and authentication including:

1. Biometrics

2. Web content filters

3. Data leakage prevention

4. Disposable passwords/smart cards/tokens

5. Reduced or single-sign-on software

6. Voice-over-IP security

7. Web 2.0 security

8. Identity management

9. Encryption of removable media

So who are they turning to?

According to Forrester Research and their recently updated Wave Report on IAM, there is a clear preference for Oracle as the leader and innovator in the the space.

Their positioning of Oracle was driven by their leadership in product functionality/depth but also overall depth of the suite. They highlight how Oracle is the only vendor that has adopted an externalized Entitlements Solution and continues to deliver on it through Oracle Entitlements Server (OES), Formerly BEA AquaLogic Enterprise Security (ALES). Also the commitment to Risk-Based Authentication through Oracle Adaptive Access Manager (OAAM) and the integrated solution for Data Security, Oracle Information Rights Management (OIRM).

To see the CIO article

http://www.cio.com/article/504837/Why_Security_Matters_Now

To get the full PwC survery

http://www.pwc.com/gx/en/information-security-survey/index.jhtml

To read the Forrester’s IAM Wave Report

http://www.oracle.com/corporate/analyst/reports/infrastructure/sec/forrester-wave-iam.pdf

What's Up Doc?

2009-11-13T10:11:00.000-08:00

Highlights from Oracle's 56th IDM Newsletter "News You Can Use"

Innovation Awards

Awards honor innovative use of Oracle IAM at Cisco and Visa

http://www.oracle.com/us/corporate/press/022542

Oracle Magazine salutes Information Secured

http://www.oracle.com/technology/oramag/oracle/09-sep/o59secure.html

Oracle Identity Federation (OIF) Wins 2009 Iddy Award

Oracle, along with NRI, and NTT have won an IDDY in the POC category for an application that demonstrates the possibility and practicality of achieving policy interoperability between OpenID and SAML. See the press release here for complete details.

Featured Partner

As noted in this blog, Oracle Information Rights Management and Symantec DLP version 10 integration announced, taking data protection to the next level by combining data discovery with policy-based application of Oracle IRM.

Oracle Identity Management 11g

Oracle was pleased to announce the release of the first phase of Oracle Identity Management 11g this past summer, including enhancements to Oracle Identity Federation, Oracle Internet Directory, and Oracle Virtual Directory:

http://www.oracle.com/us/corporate/press/020724

Oracle Identity Federation 11g

OIF 11g introduces the flexibility, performance and manageability enterprises require from federation solutions. Building on the FMW frameworks for audit, logging, monitoring and credential storage, OIF puts Oracle's first-class compliance, diagnostic and security tools at the administrator's fingertips.

Oracle Virtual Directory and Identity Publisher

OVD allows Identity Publisher feature for PeopleSoft HR, Siebel and Oracle Customer Hubs to make it possible to access identity information stored in these Oracle applications easily, in real-time without any additional synchronization.

Oracle Enterprise Single Sign-On Anywhere

ESSO Anywhere is the first comprehensive offering from a major vendor that lets enterprises host single tenant ESSO in a private cloud to provide users with secure access to heterogeneous enterprise resources from anywhere, anytime.

http://www.oracle.com/us/corporate/press/035509

F5 BIG-IP access solutions to be integrated with Oracle Access Manager

As noted on this Blog, solution will enable customers to centralize and unify application access control services across diverse network environments.

Qualcomm Discusses The Next-Generation Identity Management Solutions

Oracle Identity Management 11g provides the next level of cohesive management and deployment within a common console by allowing administrators to manage multiple parts of the stack. Watch the video to see more about how Qualcomm is using Oracle Identity Management.

http://www.oracle.com/us/products/middleware/identity-management/index.htm?section=VO&uid=8103894&refid=id_VO_8103894

State Of Delaware Goes "Green" By Implementing Oracle Identity Management

The State of Delaware provides online services to their citizens and employees. They selected Oracle Identity Management based on flexibility, security, and auditing capabilities. Please visit the link below to see the State of Delaware video.

http://www.oracle.com/us/products/middleware/identity-management/index.htm?section=VO&uid=8103899&refid=id_VO_8103899

Marc Chanliau discusses Security as a Service

Director Product Management, Marc Chanliau, discusses how “Oracle Fusion Middleware is highly predicated on service-oriented architecture (SOA) environments.”

To get the full details of the newsletter

Provisioning Cloud Services like Google Apps

2009-11-12T09:59:00.000-08:00

“You must not blame me if I do talk to the clouds.”

Henry David Thoreau

While SaaS/Cloud/SOA services … pick your buzz word, are great alternatives for small to medium size organizations (SMB), using them requires Provisioning & Federated Security which are challenges even for large Info Sec departments in Fortune 100 organizations.

In particular Google Apps™ provide small businesses, universities, schools, and other organizations the option to outsource collaboration tools, etc. for low- or no-cost. But the issue of managing user access to those applications is still the responsibility of the organization.

So what is the solution?

The Aegis Provisioning Appliance for Google Apps delivers the tools needed to automatically add, modify, and delete accounts by expanding organizations existing directory services and provisioning infrastructure.
The appliance provides a full set of account management tools through real-time secure interfaces to Google Apps.

How does it work?

Automates the creation, update, deleting of accounts based on actions in an organizations existing directory service (e.g. Microsoft Active Directory or LDAP)
Provides delegated administration for defined users to add, update, delete accounts
Creates predefines web-based workflows including approval chains
Supports future expiration dates or renewal approvals
Simplifies the use of contractor or guest accounts with access registration/sponsorship forms

What is the compliance impact?

The Aegis Appliance ensures that account creation, updates, deletes are done in line with the organization’s policy.
Rules can be easily applied (and demonstrated) so a contractor needing access to Gmail for one week and then automatically disabled.
Allows organizations to start with Google Apps and scale into a full enterprise IAM deployment from Oracle

So how do I deal with the security issues?

The Aegis Provisioning Appliance can be combined with the either Aegis Password Management Appliance or the Aegis SSO Appliance
This provides users with a seamless login experience to their new Google accounts through either synchronization of passwords to Google, or web-based SSO.

Why are appliances beneficial to SMB's?

AegisUSA Appliances are a revolutionary approach to IAM, providing enterprise-level functionality in an appliance form factor
The 80/20 rule - This reduces cost through simplicity, removing the complexity by focusing on the most common use cases
Higher time-to-value for an identity solution through lower implementation costs
Provides a fully configured HW/SW environment, leveraging enterprise-class components

This is part of a broader evolution of IAM as SMB's are becoming a growing consumer of IAM technology which is the driver behind the AegisUSA strategy.

After all there are only more Cloud based services to come. As Judy Garland put it "Behind every cloud is another cloud.”

To learn more visit Aegis USA

Bridging Physical and Logical Security

2009-11-10T16:59:00.000-08:00

OK, so I secured the applications but who walked into the building???

Why do I care?

Same old reasons Audit & Compliance – Difficult to obtain
Legal mandates (FDA, DEA, SOX, SAS70 etc..)
Cardholder Access Rights and Global visit records
duplicate records, not accepted by auditors - Multiple records in multiple Physical Access Control Systems (PACS)
Ghost & Orphan accounts
Managing “PACS & Access Changes” is Complex & Costly
High Operational Cost - multiple manual processes
Card Issue, Card De-activation, Lost or Stolen card
Temporary cards, Visitor management
New Hire, Termination, Changes in Role, Title, Department, Location, etc…
Time & Attendance, Asset Check in/Check-out, etc.
Multiple Silos of Physical Access Control Systems (PACS)
Configurations in PACS are all different
Different Door names, Access Privileges, Clearances,
Concept of Global “Role or Groups” missing across PACS
No Self-Service Console, No Global Administration
Manually Driven & Error Prone process increases Cost

Not convinced yet? Here are the metrics...

ROI Calculator Based on a large multinational organization
- Current system cost: > $25yr per person on maintenance
- Porting cost for acquisitions: > $35/yr per person
Result: Over $20MM in savings, ROI in under 1 year!

But that is just on the physical security. Complexity costs, simplicity saves!

To learn more about this solution please check out their site:

http://www.quantumsecure.com/

Infinite Identities

2009-11-10T12:34:00.000-08:00

What's with the title, "Infinite Identities"?

Ok, so mostly it was selected because it was available and sounded catchy. But the Network World article today, "Drowning in Passwords", really speaks to the origin of the name and the key challenges we all face as individuals and organizations trying to manage our seemingly infinite number of identities.

While we mostly talk about security and compliance, IAM is truly a management problem. Both in the real world and in the virtual one we all play many roles:

Father, husband, brother, son, grandson, friend, son-in-law
Litter Box cleaner, leaf raker, toilet plunger, bug-killer
Surfing-buddy, lunch-meeting-friend

With matrixed organizations, overlapping projects, evolving priorities, and dynamic timeslines we equally have a complex identity in the office:

Manager, employee, co-worker, partner, customer
Internally as a client of HR, procurement, legal, expenses
Externally as a client of the healthcare provider, 401k, gym, etc.
Selling to customers, selling with/to partners or partners selling to you
The lead on a FY planning project, contributor on a new product strategy, listener on a new marketing program

Each one of these roles has a unique identity, not just by itself but also in all their interactions. This makes the number of not only accounts and password endless, but truly makes our entitlements infinite.

The challenge is only further complicated when you layer in social networking, from blogs to Facebook and Twitter, our 1:1 interactions in one role gets mixed with our identities in another. For example many have learned to keep their work "friends" on linkedin and their personal "friends" on Facebook, and their family ... on email.

This increasing web of complexity fuels the continous need for new innovations, solutions, and ultimately integrations to address it.

With this Blog, Infinite Identities, we will look to highlight and promote the best practices and best solutions being driven by innovative partnerships in IAM.

Thanks for reading!
Brian

Identity Proofing with IDology and Oracle Adaptive Access Manager (OAAM)

2009-11-09T14:42:00.000-08:00

Do you know who I am?

You may think so, but what if someone has hijacked my account, my identity, my computer, my web browser, my session, etc. With high impact/value transactions, this “What if?” can have major consequences.

Richard M. Nixon famously said “I know you believe you understand what you think I said, but I am not sure you realize that what you heard is not what I meant.”

The point here being, even when you believe you know the user you may not? In an era where accounts, machines, and identities are taken hostage there is a need for a technology that can verify that you are who you say you are.

When do I need this?

Someone is trying to open a new bank or credit card account - stolen identities can be translated into thousands of dollars in lost merchandise, hurt your brand, and increase insurance or credit card rates.
Bank Transfers – Hijacked accounts from malware/viruses can leverage existing legitimate sessions to transfer money out of customer accounts.
Car Lease/purchase – Imagine someone walks off the lot with a car, but under a false identity. The retailers is unlikely to ever see the vehicle again.
Cell Phone – Using stolen identities or credit cards, thieves can rack up thousands in international phone bills
Medical Records – Employers could leverage inside information on potential employees to make hiring decisions based on potential health insurance cost from pre-existing conditions
Customer Data – Sales person walks away from their desk and a soon-to-be-leaving employee downloads current pipeline information or customer data to bring to their future employer.

The list of examples is endless and applies across all types of organizations, from public sector to higher education, from Fortune 500 enterprises to financial services and health care.

So how does this work?

Based on policy, type of transaction, or probability of Fraud calculated by OAAM's risk scoring engine in real time, users can be promoted to join an “Authentication Session”.
Users will be asked a series of questions such as “Which one of these is a street you grew up on?” or “What is the make/model of your first car?
Unlike traditional Knowledge Based Authentication (KBA) with IDology questions and answers are generated dynamically based on a combination of public/private data sources. This is called Dynamic KBA.
Based on the users answers IDology creates a fraud score, and OAAM determines, based on the organizations defined policy, if it will allow the user to continue with the transaction.
OAAM can also used other context information such as Geo Location data, or require secondary or step-up authentication from something like StrikeForce SMS, ActivIdentity, or Verisign VIP.

You want to see it in action:

Demo

Oracle / ArcSight – Providing Real Time Oversight of User Behavior

2009-11-09T12:56:00.000-08:00

When IT infrastructure generates millions of events/logs daily, how do you do you know if there is an issue and who is causing it?

Traditionally SIEM (System Information & Event Management) products track events by what resources are employed, when, by whom and for what result. Unfortunately the “who” part changes in real time based on the process being used and for what purpose. But with IdentityView, ArcSight transfers identity and role information from Oracle Identity Manager into its Enterprise Security Manager so that it can correlate all the identity markers and privileges of a specific user.

Armed with this proverbial identity matrix, ArcSight ESM can then associate events with a specific person, independent of the various identities that he or she employs.

So why do we need this?

To automate the correlation of compliance and policy violations with specific users
To understand how your key users (admins to accountants) are using IT infrastructure
Increase accuracy/productivity of your role engineering and provisioning process
Respond to security and compliance issues before they damage the organization
Provide business owners with information about policy and security violations in terms that they understand and can act on
Provide visibility and assurance to C-level executives that policies are being enforced to conform with compliance regulations such as Sarbanes-Oxley, PCI, HIPAA, etc.

What are the benefits?

Leverages the investment in OIM by linking users and roles to security problems, compliance violations, etc.
Faster identification of security and compliance issues resulting in more rapid response and remediation
Control/monitor access rights & IT usage (services, apps, data, etc.) requires correlating millions of real time alerts and logs with specific user activity
Provide auditors with proof that controls are in place and effective
Visibility into violations of corporate policies covering customer, employee and business-sensitive data
Improved productivity via automation of required reports, summaries and auditor requests for information

So why now?

You already have this covered

Many organizations have invested in home-grown event monitoring solutions, but the challenge is that problem continues to get bigger, with every new system (applications, devices, Cloud/SaaS solutions) added to the environment.

ArcSight cleanly replaces those solutions and delivers more functionality at a lower cost.

You can't face this now, maybe in the future
SIEM solutions are now considered standard “due care” for auditors concerned with SOX compliance.
PCI DSS #10 explicitly requires monitoring of the relevant IT infrastructure.

You don't have the resources
Budgeting for security and compliance is difficult but by combining ArcSight with Oracle Identity Manager, organizations can “double up” on their return on investment based on the synergy between the products.
SIEM alone provides multiple solutions for the security group, compliance group, risk management, etc.

To learn more:

http://www.arcsight.com/products/products-identity/

Vordel Launches Cloud Service Broker

2009-11-06T06:57:00.000-08:00

With the Cloud Service Broker, Vordel pledges to bring trust and reliability to Cloud Computing

So what does this mean?

The solution aggregates multi-domain services across their enterprise, partners and 3^rd party cloud services such as Amazon EC2 and Google Apps
Through bringing the services together, the Broker enables organisations to consistently define and manage policy across these services and report on them
Through the Broker, composite applications can be built seamless while offering full visibility, trust and control".

So why do we need this?

Organizations using Cloud services in conjunction with their own on-premises SOA face major issues related to reliability and trustworthiness.
Very difficult to bring together services from across domains (i.e. on-premises, Public and Private Clouds, and B2B) into coherent composite services and applying policies to them.

Vordel CEO, Vic Morris, said "Many organizations see the value of incorporating Cloud Services into their IT infrastructure, but they also have concerns about the reliability and performance of these services outside their domain of control. The Vordel Cloud Service Broker addresses these issues by providing a trustworthy “

So how does it work?

The Broker solves this problem by registering services from all three domains into a single repository, enabling monitoring, management and policy enforcement.
Plus the Vordel Cloud Service Broker offers value added services like caching, acceleration, and transformation, delivering enterprises savings in time and money.

What is under the covers?

Multi-Domain Registry Repository (MDRR) – This is where the Broker registers aggregated services across domains. This one-stop-shopping for compliance to Service Level Agreements, privacy and security mandates.
Analytics – Providing the visibility through an independent audit trail including raw usage information, service quality, patterns of usage over time, and identity of users.
Content Analysis – Content is analyzed to enable Data Loss Prevention (DLP), content-level threats, and application-level attacks at the API and payload level.
Caching – Protecting against latency from the Cloud service, saving money by allowing some requests to be serviced by the broker itself.
Composition – Allowing developers to link together local apps with Cloud-hosted apps via Web Services interfaces, database, or message schemes like MQ or JMS.
Content transformation – Accelerated transformation for mediation between different applications or between REST API interfaces and SOAP, JMS, COBOL, etc.
SLA Monitoring - Comprehensive monitoring of response time of Cloud services, and the entire transaction throughput time.
Traffic Throttling – Vordel refers to this as the “surge protector”, protecting against apps making a high number of calls to a Cloud service by deflecting a portion to a back-up service, newly provisioned for this purpose.
Event Alerting – Notification of events like Cloud outages so that remedial measures can be put into place.
Extensibility to 3rd Party Valued Added Services – Traditionally very difficult/costly with non standard API's from competing solutions, but is made easy & pluggable here.

For more information:

One More Time! Oracle Tops Gartners Provisioning List

2009-11-05T06:27:00.000-08:00

Oracle Announced this morning that they were again named the leader in Gartner's "Magic Quadrant for User Provisioning".

The Gartner Magic Quadrant ranks vendors based on their completeness of vision and their ability to execute on that vision. This is indicative of a dramatic evolution in the Identity & Access Management Market over the nearly 5 years since CA announced their acquisition of Netegrity.

The move sparked a shift from focusing on Web Single Sign-On to end-to-end suites for Identity and Access Management and lead to the spending spree at Oracle which put together this leading suite of products and market vision. In total, Oracle brought together technology from 9 IAM innovators to develop this market leading technology suite:

Phaos - Now Oracle Identity Federation (OIF)
Oblix - Now Oracle Access Manager (OAM)
Confluent - Now Oracle Web Services Manager (OWSM)
Thor - Now Oracle Identity Manager (OIM)
Bridgestream - Now Oracle Role Manager (ORM)
Bharosa - Now Oracle Adaptive Access Manager (OAAM)
PassLogix OEM - Now Oracle Enterprise SSO (OESSO)
BEA ALES - Now Oracle Entitlements Server (OES)
BEA WebLogic Security Services - Now OPSS

One of the pioneers in this evolution had this comment on the announcement;

"With roles, rules and policies continually evolving within the enterprise, organizations need strong user provisioning solutions to streamline security, achieve increasing levels of automation and efficiency and ensure sustainable compliances," said Amit Jasuja, vice president, Oracle Identity Management. "We are pleased to be recognized as a leader in Gartner's Magic Quadrant for User Provisioning, and remain committed to delivering the most secure, comprehensive and scalable solutions to customers."

Looking at the full Magic Quadrant for User Provisioning it is interesting to note that with Sun in the top 3 as well it is clear that this market is heading for further evolution but more importantly innovation that will directly benefit customers and technology providers leveraging an increasingly mature, standardized, IAM suite across each layer of the application stack regardless of the deployment model.

Here is the link to the
press release.

Persistent helps organizations say Bye-Bye to CA SiteMinder

2009-11-04T12:52:00.000-08:00

Persistent Systems delivers a packaged solution for migrating from CA SiteMinder to Oracle Access Manager (OAM)

So why do we need a solution for this?

· Accelerated – Save time (i.e. $ on implementation)

· Lower Risk – Repeatable solution reduces project risk

· Proven – Well laid path by existing reference customers

· Turnkey – OOTB solution

Why do organizations want to migrate?

· CA SiteMinder has a very large & dissatisfied install base because of

o Poor investment in Dev and Support – There are substantially less engineers building/supporting SiteMinder then when it was part of Netegrity, while Oracle has increased the dev team on OAM

o Costly Support – CA support pricing model creates painfully high pricing (disproportionate with the rest of the market) in the mind of many organizations.

· Stack Limitations:

o As a stack, the Oracle IdM suite has dramatically out paced CA in completing the picture and innovating towards the future.

So who should consider this?

· SiteMinder users with Oracle products (DB, EBS, Apps, IdM…….) – i.e. those that will benefit from the Oracle IAM Suite and the broader Oracle Suite

· Customers who use both SiteMinder and OAM for different applications or business units – i.e. those hungry for actual SSO

· Customers who have SiteMinder environments through acquisitions – i.e. cost savings

· Anyone with a SiteMinder deployment

So why now? Why was this not done already?

· Legacy – SSO environments constitute several years of work/investment

· Perception – Migrations are seen as long, effort-intensive, expensive and risky

· Time – Typically ROI is too far away, but not in this case

Persistent Systems' SM2OAM solution addresses all these challenges!

Case in Point – At a large public technology provider (not ORCL), the migration time from SM to OAM was brought down from 24 months to 6 months!

OK, so how do we do this?

· Option 1 - Fully outsourced

o Turnkey Persistent solution includes ‘acceleration plus services’

o All phases delivered by Persistent

o Direct, subcontract and fixed fee options available

· Option 2 - Joint solution

o Persistent provides ‘acceleration’ for existing services team

o Phases in blue delivered by partner, rest delivered jointly by Persistent

o Fixed fee, markup and shared revenue options available

So who is Persistent Systems?

· Over a decade working on the backend doing OAM engineering

· Over 140 person years of engineering experience with Oracle IAM stack

· Ongoing implementation efforts – 20+ marquee customers

· Winner of Oracle's partner ‘Challenge’ – OID 2 billion benchmark, ‘last-mile’ solutions

· 20 years old, profitable, 5K people, hundreds of customers, Thousands of product releases

· Global presence – North America, Europe, UK and Asia

To get started contact:

Muneer Taskar

muneer_taskar@persistentsys.com

StrikeForce Technologies ProtectID® provides step-up two factor “Out-of-Band” authentication to OAAM

2009-11-03T16:02:00.000-08:00

Using OAAM and ProtectID® together, companies can defend against the latest online threats, including account takeover schemes and man-in-the-middle attacks to restore trust in Internet transactions. The combined offering utilizes advanced authentication and fraud prevention to evaluate risk and alert organizations in real-time to potential fraud threats. In addition, the OAAM/ProtectID® solution enables companies to employ a range of security options, including “Out-of-Band” phone authentication, to meet diverse user requirements or upgrade to higher levels of protection as threats increase without reinvesting in infrastructure. Enterprise Security Officers prefer two-factor authentication all the time. Consumers are happy with simple ID/Password authentication, thereby finding a workable solution has been a challenge for companies.

The Oracle Adaptive Access Manager (OAAM) combined with StrikeForce’s ProtectID®, meets this challenge. Heightened regulatory requirements (e.g. FFIEC and The Red Flags) recommend adopting strong two-factor authentication for the higher risk transactions. Gartner recommends “Out-of-Band” authentication as a necessary layer to prevent Identity Theft. The regulations explicitly discuss the use of One Time Passwords (OTP) delivered via phones or similar devices in addition to utilizing “Out-of-Band” strong authentication. The ProtectID® strong authentication platform provides these services (which is the reason the partnership with StrikeForce was developed). Many of these enterprises also want two-factor authentication for their employees (which OAAM and ProtectID® also solves in combination and separately).

The ProtectID® platform is an implementation or “Cloud Service” of the OOB Authentication methodology providing strong authentication via a number of different authentication technologies. Currently the platform supports the following strong authentication methodologies:

“Out-of-Band” methodologies:

Entering a fixed PIN in a phone
Entering One Time Password (OTP) in a phone
Sending an OTP to a phone via SMS
Sending an OTP to a phone via text to speech
Sending an OTP via email

Token methodologies:

Hard Token OTP (key fob that displays OTP when a button is pressed)
Soft Token OTP (OATH compliant software) that can reside on a PC or a Black Berry or PDA or J2ME compliant cell phone.

Value of ProtectID® to OAAM

A ProtectID® and OAAM combined solution delivers an advanced security proposition to combat the growing threat of consumer identity theft and fraud on the Internet. The combination of OAAM’s real-time fraud prevention and ProtectID’s real-time two-factor “Out-of-Band” authentication platform, provides financial institutions, online retailers, health care companies and other businesses with a robust arsenal of security tools for protecting consumers from fraud, for accurate identification of employee access, and all while complying with industry security guidance’s and regulations.

Therefore, with the combination of OAAM and ProtectID®, the client benefits from a Return On Investment (ROI) and compliancy with regulatory requirements (FFIEC, Red Flags and others), with minimal inconvenience to the most important person, the end user. The majority of transactions authenticated should pass the OAAM fraud prevention process. For those transactions that are detected and flagged as potentially fraudulent, OAAM would then automatically invoke ProtectID® to perform a two-factor strong authentication for the consumer, which minimizes the expensive help desk process and thereby provides greater satisfaction and cost savings. This total fraud prevention solution is a win/win for the company and its clients. ProtectID® could also be used for password resets, high dollar value online transactions, remote log on, etc.

Interfacing ProtectID® with OAAM

ProtectID® appears as a web service to a web site that implements both OAAM and ProtectID® and allows for step-up or other requests for strong 2-factor “Out-of-Band” authentication based on the risk level determined by the Company and or OAAM.

OAAM only employs step-up authentication when it’s truly needed so end users are not being inconvenienced.

Following is a link to allow you to test “Big Bank” showing an example of how ProtectID® can be integrated with OAAM for the best all around total solution (fraud mitigation with 2-factor “Out-of-Band authentication) with options and flexibility. Just sign on with a user name and it will ask you to register and allow you to test the Best complete compliant authentication solution available and all from Oracle:

http://d.oobauth.com:8888/sample/

For more information please contact:

Mark L. Kay, CEO
StrikeForce Technologies, Inc.
marklkay@strikeforcetech.com
www.strikeforcetech.com
(o) 732-661-9641

No More Tokens!!!

2009-11-02T09:53:00.000-08:00

Juniper says "Good Bye Tokens" with Oracle Adaptive Access Manager (OAAM)

As the #1 SSL VPN provider with 92% of Fortune 100 and 8 of top 10 commercial banks plus 47 of 50 US State Governments, odds are you have used a Juniper SSL VPN to connect to your employer, partner, or service provider … and odds are you had to use a hardware security token.

While tokens like RSA BSAFE provide an accepted alternative to passwords, they are clunky, costly, and not secure from many potential attacks like man-in-the-middle or man-in-the-browser.

Looking to help customers overcome these challenges, Juniper partnered with Oracle to integrate the Oracle Adaptive Access Manager (OAAM) which not only provides a software alternative to tokens, greatly improving the user experience and dramatically lowering TCO, it also saves hard dollars and protects the organization’s reputation with real-time fraud detection.

More specifically OAAM provides:

Strong, multi-factor authentication for secure access control
Seamless interoperability with hetergenous App Servers (IBM, BEA, SAP, etc.)
Enforces access at the protected resources thru web plug-ins
Delegates authentication and authorization decisions to a central authority

Which compliments the existing features and security of Juniper SA SSL VPN such as:

Provides secure, encrypted communication channel for all remote users from anywhere and from any device
Enforces Oracle’s policy based authentication and authorization policies at perimeter
Provide 3 different levels of connectivity, going beyond just web support, including Layer 3 VPN connectivity for fat clients, VoIP, streaming, FTP, and more
Performs comprehensive “Host-Checking” to ensure end-point integrity
Enables coordinated identity based threat response and prevention with other products

The benefits include:

Lower cost and complexity of authenticating users
Eliminates non-user friendly, expensive gadgets, tokens or proprietary software downloads
Host checker + real-time fraud prevention provides greatest overall access security
Low-cost, flexible way for enteprises to extend strong authentication to partners, suppliers, contractors, and non-employees accessing critical applications
Native integration eliminates need for OAAM’s UIO option

How does this really save me money? - Good question! Here is how it works:

Lower Hardware Costs

Mitigates need to provide SSL on each Web / App Server; fewer servers
Single appliance scales to thousands of simultaneous users
Carrier-class reliability and HA features

Lower Management Costs

Seamlessly leverage and instantly extend I&AM policies to remote users
Eliminate need to duplicate policies across servers and networks
Plug ‘n play integration – deployment guides and Oracle reference architectures
Leverage combined audit and log data for compliance

Lower Business Risk

Moves OAM policy enforcement point out to network perimeter, increasing security
Coordinated identity-based threat response to attacks
Comprehensive identity based access logs

To download the data sheet:
http://www.juniper.net/us/en/local/pdf/solutionbriefs/3510251-en.pdf

For more information on the Juniper Oracle Partnership:
http://www.juniper.net/solutions/information_technology_topics/accelerating_oracle_business/index.html

To learn more about OAAM:
http://www.oracle.com/technology/products/id_mgmt/oaam/index.html

Don’t believe me, ask Juniper:
David Colodny
dcolodny@juniper.net

Oracle OPN Days - Virtual Event

2009-10-28T11:34:00.001-07:00

Much more the "virtually helpful"...

What are Virtual Days?
Somewhat of a hybrid between web conferencing and social networking these events offer a unique opportunity to gather subject matter experts from around the world with industry thought leaders have dynamic discussions about technology, architecture, but most importantly ... How do you make your organization more successful?

Challenges with a traditional conference:
We have all been to many large conference halls from the San Francisco Moscone Center to the Venetian Hotel & Conference Center in Vegas or the Orlando Florida Conference Center. While the face time to build relationships is important there are many draw backs, for example consider these scenarios we have all experienced:

You make it to the booth of someone you need to connect with but the expert on your topic won't be here until tomorrow.
A key customer approaches but Jim Thompson who runs product management just went to the bathroom
Despite being at the event, Tom Jones the architect whose advice is highly valued by the CIO and decision maker is too shy to approach face to face so you never knew they were there or could find Tom.
You are talking to a potentially large customer but they are interested in a new product or partnership and the collateral did not make it to the show.
You agree to share content on a pressing issue but the action items get scribbled on a conference flyer and get lost.
You finally connect with the right people and you can't find a place to sit and talk or hear one another over the crowd
You get cards from everyone you meet but it would take another week to index then and store the information virtually and it becomes difficult to follow up.
You get to the booth in the morning but your technical sales manager was out with a client the night before and did not make it to the booth in time to meet another key client

Instead with a Virtual Event you can:

Dynamically grab the content you need and provide it electronically
Pull in experts from anywhere in any language instantly
Digitally share contact information and action items
Avoid the high cost of traveling to conferences
Save your feet and time running between sessions

Why the Oracle OPN Days?

Support for 9 languages
Product, alliance, and sales experts in 1 place
Information across Oracle database, middleware, and applications
This event is focused on partners and how they can be successful with Oracle and benefit from our many sales and marketing programs.
Rapidly navigate the ~85,000 Oracle organization

To learn more visit the site:

http://events.unisfair.com/index.jsp?eid=491&seid=26&code=OPNDaysVEOracleMailSignature

Updated Oracle IDM Ecosystem

2009-10-27T12:28:00.000-07:00

The Oracle IDM Ecosystem is strong and growing!

Oracle announced the Extended IDM Ecosystem in June 2007 to unify security islands, as Organizations commonly have multiple security systems in place—one technology to secure physical access, another to secure legacy applications, and yet another to secure network access. To cope with these "silo'd" solutions, Oracle partnered with best-of-breed ISVs to offer a central and effective means to enforce security policy across all enterprise resources.

Today the mission continues to be the same while the technology landscape and customer requirements have evolved. Since I took it over the leadership of the Ecosystem in June of 2008 we have added several new categories including:

SOA Security & Governance – Enforcing and managing message level security, throttling, and acceleration for the Oracle SOA Suite

Identity Assurance - Certified solutions for fraud prevention combining Oracle Adaptive Access Manager (OAAM) with solutions spanning Identity Proofing, Internet Geolocation, Out-of-Band Authentication, Secure Remote Access, and more.

Data Loss Prevention – Partnering with the leaders in end point security and data protection to identify the flow of sensitive information and protect it through IRM, and IDM policy reconciliation.

Priveleged User Management – Extending the management of application accounts, users, and credentials to provision, secure, and monitor privileged/shared accounts by users or applications.

The core benefits, that extend to these new categories as well, include:

Reduces deployment risk—Certified and proven interoperability significantly reduces time to deployment, costs, and risks of deployment

Strengthens security and compliance—Central management of disparate resources and identities improves enterprise security and enhances regulatory compliance

Improves operational efficiencies—Linking identity across systems and providing a central authentication interface greatly improves operational efficiencies and user productivity

The current list of partners includes:

Authentication & Identity Management—Arcot Systems, ArcSight, Daon, Entrust, F5 Networks, Giesecke & Devrient, Juniper Networks, Quantum Secure, RSA
Identity Assurance—ActivIdentity, BIO-key, IDology, Juniper Networks, Quantum Secure, Quova, StrikeForce, Vasco
SOA Security & Governance – Vordel , Layer7 , Intel , and Sonoa Systems
Data Loss Prevention – McAfee, Symantec, & ControlGuard
Priveleged Account Management – Cloakware, Cyber-Ark, Liebsoft, and BeyondTrust (formerly Symark)

As always you can learn about the Ecosystem on Oracle.com
http://www.oracle.com/products/middleware/identity-management/ecosystem.html

To learn more about becoming an Oracle Partner please visit the Oracle Partner Network:
http://www.oracle.com/partners/index.html

Symantec announces DLP powered by Oracle IRM

2009-10-27T10:29:00.000-07:00

Oracle IRM and Symantec DLP integration announced

Launching their latest release of data loss prevention (DLP), Symantec focused on the new functionality in version 10 allowing customers to directly leverage the benefits or Oracle IRM to protect their sensitive data.

Symantec is the leader in DLP technology and organizations world wide leverage their solution for discovery and monitoring of enterprise network traffic and perimeters to detect the flow of information that needs to be protected for privacy, compliance, or from competitors. When DLP detects something that is deemed confidential it can take some action upon it, typically this is in the form of blocking the information from continuing to be transmitted or removing it from the file servers.

However combining DLP with IRM means you don't have to restrict the end user or impede the business by blocking their attempts to collaborate. Instead you directly enable the organization to interact securely and teach best practices. Oracle IRM technology will encrypt and protect the document or email so that it can be shared. IRM ensures only authorized users have access and provides advanced security controls such as revocation to the information, even after it has left the control of your enterprise networks.

Oracle and Symantec have been working closely together over the past months to build an integration between Oracle IRM and DLP based on direct input from customers and implementation partners. The combined solution offers the most innovative, use-case driven security solution of any IRM and DLP combination.

Oracle IRM is the leading rights management solution for enterprise-scale document and email security and Oracle is the leader in Enterprise Identity & Access Management according to Gartner, Burton and Forrester. Combining this innovative technology and thought leaders for Access Management and Content Security means customers can now have rich monitoring and detection capabilities.

Instead of blocking attempts to share valuable data, this solution allows it to happen securely. We first demonstrated this capability at Oracle Open World and if you were not able to attend, we've uploaded some video demonstrations to our YouTube channel.

If you want to learn more about using Oracle IRM and DLP together contact us.

IRM at oracle.com

Online demonstration

Downloads on OTN

Technical white paper

Business white paper

The official Oracle IRM Blog is available here or by looking through the archives.

Identity Management Partners making news at Oracle Open World

2009-10-21T13:21:00.000-07:00

While Oracle Open World is traditionally dominated by Database and Applications, this year Identity Management made waves and made press.

Network World's Dave Kearns similarly noted the shows focus but reported on some of the highlights for Information Security in his Column
http://www.networkworld.com/newsletters/dir/2009/101909id2.html?hpg1=bn

Particularly he noted the innovative solution for Privileged Account Management offered by Liebsoft and highly tuned and integrated to work with Oracle products:

http://www.liebsoft.com/common.aspx?id=3103

Also of interest to Dave was the unique Enterprise SSO Anyware offering Oracle brought to market through their alliance with PassLogix:

http://www.oracle.com/us/corporate/press/035509

Though Dave did not mention what many feel is one of the most innovative architectural solutions for Web Access Management announced by F5 to reduce the complexity of agent deployments, updates, and management by moving them to the load balancer with their industry leading Big-IP product.
http://www.f5.com/news-press-events/press/2009/20091006.html

What is Consumer SOA? "COSA"

2009-10-21T12:09:00.000-07:00

So what is Consumer Oriented Service Architecture (COSA)?

SOA is a well known and established technology area with innovation driven by technology vendors like BEA/Oracle and SoftwareAG for leveraging/wrapping legacy applications and rapidly integrating technology across platforms, partners, and customers but COSA is a new concept.

The term itself was coined by Oracle Product Manager Vikas Jain in his blog
http://ws-security.blogspot.com/2009/10/consumer-oriented-service-architecture.html
But the idea is well established and was driven by those delivering services not by technology vendors.

As Vikas points out "While SOA concentrated on how to make the service architecture better, it left out on the consumer focus. The consumer focus becomes especially important when services are exposed to partners."

Vikas goes on to define the key challenges and requirements for a COSA solution such as Consumer Identification, Throttling so that the right customers get the right SLA, Contracts & Policies, Reporting, and Provisioning.

Today media vendors and social media vendors are leading the charge and paving the road with innovative technology vendors like Vordel, Sonoa Systems, Layer7, and Intel.

MTV Networks is a great example with their work with Sonoa Systems:
http://www.sonoasystems.com/about-us/news-and-events/mtv-networks-selects-sonoa-for-api-infrastrcture-feed-management

It is also demonstrated by the participation of Steve Riley, Evangelist and Strategy for Amazon at the Vordel User Conference.
http://www.vordel.com/news/press/16_09_09.html

Intel is targeting Oracle Fusion customers with http://www.intelforfusion.com/

Layer7 is also making waves with their announcement around integrating Oracle Service Bus with their hardware XML Gateway. http://www.layer7tech.com/main/products/osba.html

F5 Announces Plans to Unify Access Management for Web Applications

2009-10-06T09:53:00.000-07:00

Solution Will Combine F5`s BIG-IP System with Oracle Access Manager to Enhance
Single Sign-on Capabilities and Simplify Access Control

SEATTLE--(Business Wire)-- F5 Networks, Inc. (NASDAQ:FFIV), the global leader in Application Delivery Networking (ADN), today announced that it plans to integrate F5 BIG-IP access solutions with Oracle Identity Management software to centralize web application authentication and authorization services, streamline access management, and reduce infrastructure costs.

Details
Advantages of combining F5 and Oracle solutions will include:

* Tight integration of the F5 BIG-IP system with Oracle Access Manager, enabling reduced TCO, lowered deployment risk, and streamlined operational efficiencies for customers.
* Integration with Oracle Access Manager Single Sign-On (SSO) to promote a superior end-user experience and enhanced user productivity. This integration will enable organizations to adopt an access management and SSO strategy that allows rapid ROI.
* A unified point of enforcement to simplify auditing and control changes in configuring application access settings.

F5, a member of the Oracle PartnerNetwork, will provide additional information about the planned solution in Booth #1421 at Oracle OpenWorld, taking place October 11-15 at the Moscone Convention Center in San Francisco. To learn more about F5`s presence at Oracle OpenWorld and other industry events, please visit www.f5.com/news-press-events/events.

Availability
The combined solution is expected to be available within the first half of CY 2010.

Supporting Quotes
"Ease of implementation and TCO are very important to Oracle and its customers," said Brian Mozinski, Director, Product Management, Identity Management and Security at Oracle. "By integrating functionality from Oracle Access Manager and F5`s BIG-IP system, customers can further streamline their deployments of the Oracle Fusion Middleware 11g Identity Management Suite."

"Our goal is to help businesses maximize the value of their technology investments," said Muneer Taskar, Director, Sales at Persistent Systems, a technology company specializing in software product development services. "Integration and interoperability from vendors like Oracle and F5 make customer deployments simpler and less costly to deploy and manage. We look forward to adding this new access management solution to our product portfolio."

"Close working relationships with key identity and access management vendors like Oracle are very important to F5," said Jason Needham, Sr. Director of Product Management at F5. "Together, we can deliver significant value to our joint customers by enabling them to centralize and unify application access control services across increasingly diverse network environments. F5 is committed to providing innovative access management solutions and edge services-such as SSL VPN, acceleration, and other managed services-to maximize IT agility and deliver enhanced functionality, security, and ROI to customers."

About F5 Networks
F5 Networks is the global leader in Application Delivery Networking (ADN), focused on ensuring the secure, reliable, and fast delivery of applications. F5`s flexible architectural framework enables community-driven innovation that helps organizations enhance IT agility and dynamically deliver services that generate true business value. F5`s vision of unified application and data delivery offers customers an unprecedented level of choice in how they deploy
ADN solutions. It redefines the management of application, server, storage, and network resources, streamlining application delivery and reducing costs. Global enterprise organizations, service and cloud providers, and Web 2.0 content providers trust F5 to keep their business moving forward. For more information, go to www.f5.com.

About the Oracle PartnerNetwork
Oracle PartnerNetwork is a global business network of more than 21,000 companies that deliver innovative software solutions based on Oracle software. Through access to Oracle`s premier products, education, technical services, marketing and sales support, the Oracle PartnerNetwork program provides partners with the resources they need to be successful in today`s global economy. Oracle partners are able to offer their customers leading-edge solutions backed by Oracle`s position as the world's largest business software company. Partners who are able
to demonstrate superior product knowledge, technical expertise and a commitment to doing business with Oracle qualify for the Certified Partner levels. For more information, go to http://oraclepartnernetwork.oracle.com.

F5 and BIG-IP are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. All other product and company names herein may be trademarks of their respective owners.

This press release may contain forward-looking statements relating to future events or future financial performance that involve risks and uncertainties. Such statements can be identified by terminology such as "may," "will," "should," "expects," "plans," "anticipates," "believes," "estimates," "predicts," "potential," or "continue," or the negative of such terms or
comparable terms. These statements are only predictions and actual results could differ materially from those anticipated in these statements based upon a number of factors including those identified in the company's filings with the SEC.

F5 Networks, Inc.
Alane Moran, 206-272-6850
a.moran@f5.com
or
Connect Public Relations
Holly Hagerman, 801-373-7888
hollyh@connectpr.com

Symark is now BeyondTrust

2009-09-30T13:23:00.000-07:00

BeyondTrust PowerBroker® Joins Oracle Extended Identity Management Ecosystem

“ONLY 47% OF COMPANIES
IMPLEMENT AN IT REGULATORY
COMPLIANCE PROGRAM.”
- DELOITTE SURVEY, 2009

Information technology and intellectual property are the lifeblood of a typical enterprise
these days. Safeguarding these precious assets is imperative to every organization, and
the number one priority needs to be protecting the organization from itself. Specifically,
protecting administrative, database and superuser passwords, such as root, on Unix/
Linux servers represents the most critical access points to business-critical IT assets and
resources at their most fundamental level. Addressing this dilemma, in addition to the
time consuming tasks of managing multiple identity management solutions, can be an
impossible task for enterprises. That is why BeypndTrust chose to partner with Oracle, in
order to offer a single source solution for all enterprise identity management needs.
BeyondTrust PowerBroker, now part of the Oracle® Extended Identity Management
Ecosystem, provides enterprises with a comprehensive privileged access control application
to implement highly flexible policy language to enforce across multiple Unix/Linux
platforms and operations throughout the enterprise. Features include:

SELECTIVELY DELEGATE ROOT & OTHER SPECIAL ACCOUNT PRIVILEGES
PowerBroker enables users to perform specified administrative tasks without disclosing the
account password to them, dramatically strengthening enterprise security. Additionally,
PowerBroker secures and manages third-party application account privileges, such as Oracle
database accounts, which commonly store business critical information.

HIGHLY CONFIGURABLE SECURITY & ENFORCEMENT POLICIES
PowerBroker offers a dynamic policy scripting language to arm administrators with the tools
to create and manage detailed policies seamlessly, which grant specific access to perform
tasks. Enterprises can granularly restrict per user, group, netgroup, host, day/date/time, to/
from specified hosts, and based upon AD, NIS, NIS+ or LDAP data.

SECURELY LOG, REPORT & PRODUCE RELIABLE AUDIT TRAILS
PowerBroker logs every requested task, including all environmental information, and
encrypts logs to prevent modification. PowerBroker protects enterprises from common
violations of many U.S. and Canadian government compliance regulations and industry
standards such as SOX, PCI, HIPAA, GLBA and FISMA.

QUICK DEPLOYMENT & NON-INTRUSIVE
PowerBroker provides reliable, highly secure operations with minimal impact to existing
systems and network architectures. There are no required changes to the Unix/Linux kernel
or operating system or system reboots after installation. PowerBroker sessions are similar to
telnet sessions, requiring minimal system resources.

To learn more visit:

http://www.beyondtrust.com/

Location, Location, Location!!!

2009-08-27T09:49:00.000-07:00

Why IP Intelligence (Geo Location Data) is important for Authentication?

In the growing area of risk based authentication where organizations from banks to governmental departments are looking to share more information and services with people there is a much greater risk/fear of fraud.

Information Security vendors such as Oracle, RSA, Verisign, and others have complimented their existing Web Access Control technologies like Oracle Access Manager (OAM) with Risk Based Authentication solutions such as Oracle Adaptive Access Manager (OAAM) which assess the risk of fraud at the moment of a transaction and, based on policy, respond by allowing/denying the transaction or requiring secondary or “Step-up Authentication”.

In these scenarios, the more context available to the transaction the better risk analysis. Knowing that a banking customer who lives in Oslo, Norway is trying to send a wire transfer out of the account is actually logging in from Seattle, WA gives makes it simple to understand the potential risk.

IP data enables core risk assessments made within OAAM including; website visitor location (i.e. block high risk locations), network characteristice (i.e. is the visitor connected through an anonymzing proxy—intentionally masking their location), IP data provides an “IP fingerprint” of a visitor.

To help deliver this intelligence to customers Oracle partners with Quova as the preferred IP provider for OAAM. They provide specific ROI advantages over competitors.. Quova’s unmatched accuracy and depth of proxy intelligence data result in increased fraud catch and lower false positive escalations.

And Quova is the only provider that subjects its research process and data quality to annual independent audit by PricewaterhouseCoopers. Quova is widely recognized as the market leader and is in use throughout the anti-fraud marketplace. Quova for OAAM customers include; Monster.com, DFCU, ICICI Bank, National City Corporation.

To Learn more about Quova:
Contact Jon Heintschel
650-528-3739 or jheintschel@quova.com

To Learn more about OAAM
http://www.oracle.com/technology/products/id_mgmt/oaam/index.html

Or to learn about the Oracle Access Suite:
http://www.oracle.com/products/middleware/identity-management/access-management-suite.html

Why the Public Sector needs Bio-Metric Solutions and how ORCL + Daon can help

2009-08-01T07:33:00.000-07:00

Combing Oracle IDM Products with Best-of-Breed Biometric Infrastructure from Daon enables successful deployments across the Public Sector

Why are government organizations looking for this?

Stronger security to mitigate fraud & ID theft (more details below)
Strong Authentication without tokens (more details below)

Why has it not been adopted already?

Requirements for end-points to capture & verify biometrics
Complexity of provisioning & sharing biometrics across platforms and regions

So how can we be successful now?

Provisioning credentials & enabling cross platform SSO
Managing roles and fine grain entitlements

What is the real scoop on Fraud:

eCommerce Fraud Losses Projected to Grow to $3.6 Billion in 2008
Merchants estimate that 1.4% of their online sales will line the pockets of fraudsters
Source: CyberSource eCommerce Fraud Survey, 2007
Société Générale €5 billion in trading loss due to unauthorized trades
Trader executed €50 billion of unauthorized trades and attempted to cover over his losses. When the bank discovered the fraud it had to unwind the position in 3 days, resulting in €5 billion in loss and triggering a world wide financial market sell-off.
Source: CNN, January 2008
$17 Million remediation cost for 45 million stolen credit card numbers
Breach of TJ Maxx’s IT systems led to the lost of 45 million credit and debit card numbers over a period of 18 months. Estimated revenue impact from negative press coverage was $4.5 billion.
Source: Information Week, May 2007

So why is Strong Authentication not enough?

Tokens & Smart Cards require the device to be present, credentials still can be stolen and subject to man in the middle attacks and other Phishing or Virus/Malware breaches
Conversly, Biometric Credentials can not be stolen or replicated, user does not have to carry/track additional tools.
They can be verified for uniqueness against state, local, federal & international databases
Rapidly identify potential threats or risky persons.

This is where it gets tricky

Capturing & Storing Credentials
High cost of having devices at the end-points to capture data
Tremendous disparity in capture/read devices & algorithms
It is difficult to future proof your deployment when devices, algorithms, and infrastructure continuously evolving
Risk of being out of date by the time of production deployment
Challenging to provisioning credentials and synchronize biometrics with apps & infrastructure
Challenge for using single biometric authentication for SSO

So how do you maximize the ROI?

Govt. & Ent. require solutions that compliment & enhance entire IT IDM infrastructure to justify investment.
Oracle IDM Solutions Provisioning Credentials
Oracle Identity Manager (OIM) enables automated provisioning or revocation of accounts based on biometric auth/enrolment
Oracle Role Manager (ORM) ties biometric attributes to user roles
Oracle Entitlements Server (OES) richly defines fine-grain applications entitlements to grant/limit access to specific functions, data sets, or transactions based on level of authentication, roles, and credentials.
Gain seamless authentication across applications with Oracle eSSO (OESSO)
Replaces name/pwd with a a single biometric authentication to increase security level & create single sign-on across web & desktop applications.
Oracle Adaptive Access Manager (OAAM) Ties biometric authentication with broader authentication context (like device identification and location) to validate the entire transaction and identify anomalies or malicious behavior over time.

Here is how the Daon solution fits in...

For more information on Daon please visit their website.

Security solutions for misuse of information & entitlements

2009-07-01T11:59:00.000-07:00

After "Who has access to what?” the question is “What are they doing with it?”

Information security has followed a similar path of information technology. First it was about storing and organizing information in databases and securing that information. Then as applications and middleware evolved to deliver that information and application entitlements to users, Identity and Access management suites developed to securily enable access to them.

But once information and entitlements are in the hands of users it is open for misuse. There are many examples of this:

Accidentally emailing confidential information about M&A to the wrong internal user with the same name like John.Waters@xyzcorp.com instead of Jon.Waters@xyzcorp.com.
Copying sensitive financial or personal information out of a protected application into a file and posting it on an open file share or SharePoint portal
Sales person leaving the company who emails a list of accounts and contacts to themselves before going to work for a competitor.
NT Admin who misues the shared account because they know they are 1 of 30 people with the password and nobody knows who did what with it.
Former employees hacking into a company database because the password never changes as it is hard coded into applications.

The list of potential risks/attacks goes on and on. To help customers identify these and address them, Oracle has once again expanded the Extended Identity Management Ecosystem to include:

Privileged Account Management (PAM) – manage shared and cached credentials for privileged accounts

Data Loss Prevention (DLP) – network and endpoint content-aware monitoring, discovery and blocking

Which is complimented by Oracle IAM solutions that provide consistent Security Services & Policy across layers for

Compliance – Fine-grained entitlements and identity analytics based on consistent user roles

Reconciliation – Closed loop implementation & verification of policies across layers

Our DLP partners (including McAfee, Symantec, & ControlGuard ) integrate with Oracle IRM to:

Discover, classify, quarantine and seal (IRM-encrypt)

Intercept file copies to removable media, classify, quarantine, seal (IRM-encrypt) & release

DLP integration with Oracle IAM will enable :

DLP policies via OID or OVD group membership

Provision/de-provision DLP policies via OIM (groups)

Feedback/tuning of IAM

Similiarly Oracle PAM partners including Cloakware, Cyber-Ark, Liebsoft, and OpenTrust (formerly Symark) , deliver integrations that allows customers to:

Leverage OID/OVD as identity/credential store

PAM policies via OID/OVD groups

Provision/de-provision policies via OIM (groups)

Leverage Oracle database as secure policy store

Secure caching of credentials for unattended application restarts

To learn more about these partners please visit their page on OPN or click on their name above to reach their website directly.

{NOTE: Please click on the above images to see the slides in full size for reading the details}

Cloakware and Oracle Work to Integrate Cloakware Password Authority with Oracle Identity and Access Management

2009-06-30T10:25:00.000-07:00

Integration Strengthens Access Rights Security with Privileged Password Management

Cloakware, the leading provider of privileged password management solutions announced today that it is working with Oracle to extend their suite of Identity Management solutions with Cloakware's flagship product, Password Authority. By combining these two best-in-class products, Oracle is now able to enhance their customers' security management, with a comprehensive solution to manage, protect and monitor access to vital data.

As more and more high-profile data breaches come to light, companies are realizing they need increasingly robust solutions to protect their vital data. A study conducted in January 2009 by the Identity Theft Resource Center of San Diego found that the percentage of breaches attributed to current or former employees more than doubled from 2007 to 2008. In light of findings like this, companies are struggling to balance individuals' access rights to secure information against risk and compliance requirements. Cloakware's patented white-box cryptographic techniques ensure defense-in-depth for end-to-end security of data and keys, especially where insiders have access to the execution environment. Working with Cloakware enables Oracle to offer its customers a solution to securely store and manage privileged passwords for human administrators and runtime applications without changes to the customer's existing infrastructure.

"Extending the Oracle Identity and Access Management Suite with third party platforms provides enhanced efficiency, a higher level of integration and increased effectiveness in terms of application-centric security and risk management," said Ron Huddleston, vice president, North America Technology Channel Sales, at Oracle. "Cloakware's Password Authority is a key part of this eco-system, augmenting our identity management suite."

Password Authority leverages multiple integration points into the Oracle Identity and Access Management Suite, including:

- Oracle Internet Directory (OID) - Password Authority can manage the passwords for accounts held in OID as well as for service accounts that authenticate against OID.

- Oracle Identity Manager (OIM) - Password Authority ensures that password management is synchronized with roles and access rules.

- Oracle WebLogic Server - Password Authority automates the run-time replacement of current passwords in connection strings/connection pools and the management of WebLogic administrator accounts.

- Oracle Database 11g Real Application Cluster (RAC) - Password Authority makes use of the Oracle database as its secure repository for all passwords, and is capable of supporting a geographically distributed database installation. Password Authority is also capable of maintaining and releasing Oracle Database passwords to humans and applications.

"Companies are now starting to understand the importance of employing strict standards to manage access to critical information and protect digital assets; the risks are too high to ignore," said David Canellos, senior vice president, sales and marketing at Irdeto and Cloakware. "By integrating Cloakware Password Authority with Oracle's Identity and Access Management Suite, customers will have a single solution to proactively address security deficiencies and reduce cost and risk in their IT infrastructure."

The combined solution will be demonstrated in Oracle's Hospitality Suite during the Burton Catalyst Conference in San Diego, July 27-31, 2009. The demonstration will highlight how Cloakware's latest product version, Password Authority 4.1, secures password storage, access and lifecycle management for shared privileged administrator and programmatic passwords within the Oracle Identity and Access Management Suite. For more information, please visit http://datacenter.cloakware.com.

Cloakware is a member of the Oracle PartnerNetwork.

About the Oracle PartnerNetwork
Oracle PartnerNetwork is a global business network of more than 20,000 companies who deliver innovative software solutions based on Oracle software. Through access to Oracle's premier products, education, technical services, marketing and sales support, the Oracle PartnerNetwork program provides partners with the resources they need to be successful in today's global economy. Oracle partners are able to offer their customers leading-edge solutions backed by Oracle's position as the world's largest enterprise software company. Partners who are able to demonstrate superior product knowledge, technical expertise and a commitment to doing business with Oracle qualify for the Certified Partner levels. http://oraclepartnernetwork.oracle.com

About Cloakware

Cloakware, an Irdeto company and part of the Naspers group, provides innovative, secure, proven software technology solutions that enable customers to protect business and digital assets in enterprise, consumer and government markets. Cloakware's two main product lines include: Cloakware Datacenter Solutions which help organizations meet governance, risk management and compliance (GRC) objectives for privileged password management while ensuring business continuity and the security of mission-critical data and IT infrastructure. Cloakware Consumer Product Solutions protect software and content on PCs, set-top boxes, mobile phones and media players. Protecting more than one billion deployed applications, Cloakware is the security cornerstone of many of the world's largest, most recognizable and technologically advanced companies. Headquartered in Vienna, VA and Ottawa, Canada, Cloakware has regional sales offices worldwide. http://www.cloakware.com/

Trademarks
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.

Datasheet:
http://www.oracle.com/products/middleware/identity-management/docs/cloakware-datasheet.pdf

Oracle Forms Oracle Identity Assurance Partner Alliance

2008-09-22T07:17:00.000-07:00

Initiative to Provide Comprehensive, Proactive Identity Fraud Prevention Solutions

Oracle OpenWorld, San Francisco – September 22, 2008

News Facts

Further extending its leading Identity and Access Management solution offering that helps organizations combat online fraud and improve overall enterprise security, Oracle today launched the Oracle Identity Assurance Partner Alliance.
Through the alliance, Oracle and members of the alliance plan to deliver solutions that pre-integrate Oracle’s Identity Management Suite with partner technologies to offer capabilities such as identity proofing, Internet geolocation, multi-factor authentication, out-of-band authentication, endpoint security and secure remote access.
Oracle plans to test and deliver unified solutions which are designed to help enable organizations utilize their existing infrastructure investments with new authentication technologies to create a broad-reaching view of transactions, users and their environment. Additionally, the integrations are intended to enable customers to more easily detect areas of risk and respond through secondary authentication measures.
These authentication and security solutions work in a heterogeneous environment including Oracle and non-Oracle information systems and Enterprise Applications. They will also be pre-integrated with Oracle’s data, Fusion Middleware and Business Applications.
Members of the alliance include: ActivIdentity, Bio-Key, IDology, Juniper Networks, Quantum Secure, Quova, StrikeForce Technologies and VASCO, all members of Oracle PartnerNetwork, Oracle’s global partner program.
Pre-built integrations from Juniper and Quova are available today.

Context-Aware Security

Unlike traditional security solutions that only examine user roles and privileges to grant access, Oracle Adaptive Access Manager provides context-aware security that guarantees fraud protection using a variety of identifying information, including the identity of a user’s machine, IP address, geographic location and historical transaction information.
By unifying identity assurance and enhancing the context of a transaction to drive risk-based decisions from the desktop to the perimeter of the enterprise and into the business application infrastructure, Oracle and its partners plan to deliver improved security and superior convenience to end users.

Supporting Quotes

“With the increasing sophistication of security threats, rising online fraud and growing regulations governing online data privacy, organizations need robust end-to-end security solutions,” said Amit Jasuja, vice president, Oracle Identity Management. “However, critical systems that enable fraud protection by linking multiple aspects of a user's identity are often siloed or part of a security infrastructure that is operated in stand-alone fashion. By unifying complementary technologies, the Oracle Identity Assurance Partner Alliance aims to improve overall enterprise security by offering better protection from identity theft and stronger controls to safeguard intellectual property.”
“ActivIdentity is delighted to join the Oracle Identity Assurance Partner Alliance,” said Jerome Becquart, vice president of Products and Services at ActivIdentity. “As an established leader in the identity assurance space, we welcome Oracle’s initiative to further enhance interoperability in the identity ecosystem.”
“Oracle's strategy of bringing industry leading solutions together to provide real-time ID theft prevention solutions delivers a higher value for Enterprise customers," said John Dancu, CEO and president of IDology, Inc. "We are excited to be a part of this network."
“Juniper is delighted to be a member of the Oracle Identity Assurance Partner Alliance,” said Sanjay Beri, vice president, Access Solutions, Juniper Networks. “The reality of today's extended enterprise is a workforce that is not only increasingly mobile, but one that includes non-employees such as partners, suppliers and contractors. Ensuring high productivity requires providing granular access to key mission-critical applications anytime, anywhere, and from any device for these diverse constituencies. Securing this access and preventing fraud and ID theft is a huge challenge that Juniper and Oracle are addressing to deliver greater value to customers.”
“We are proud to be a member of the Oracle Identity Assurance Partner Alliance and are excited to be part of this distinguished group of companies that are dedicated to enterprise security,” said Bill Varga, executive vice president of Business Development at Quova.
“StrikeForce Technologies is excited to participate in Oracle’s Identity Assurance Partner Alliance. Our participation is expected to help Oracle and StrikeForce customers further prevent identity theft – an ever increasing problem for all,” said Mark L. Kay, CEO, StrikeForce Technologies Inc. “Our participation in the alliance should better enable us to provide organizations with a fully integrated authentication solution that meets several mandates.”
“VASCO Data Security is excited to join the Oracle Identity Assurance Partner Alliance and bring its experience and expertise in strong authentication to this group,” said Adam Dolby, director, Strategic Alliances, VASCO. “VASCO's continuous efforts in raising awareness and public education about secure authentication practices such as one-time passwords and electronic signatures fit very well into the Oracle Alliance. We are proud to be part of this group in its endeavor to create a comprehensive real time solution for proactive fraud prevention."

Supporting Resources

About Oracle
Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. For more information about Oracle, please visit our Web site at http://www.oracle.com/.

Trademarks
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
This document is for informational purposes only and may not be incorporated into a contract or agreement.

Infinite Identities

Giving Authentication the Finger

Leaky pipes, call a plumber. Leaky data, call PwC & Oracle

Identity & Access Governance hits the Big Time!!!

Identity Management as an Appliance by AegisUSA

Government is going to the clouds...

Security’s Baby New Years for 2010

The Next Cloud Security Frontier: DLP for the Cloud

7 Secrets of Fraud & Identity Theft

Are Enterprises ready for Identity Management as a Service (IMaaS) ?

Is Novell changing the game with Virtualization Security?

BeyondTrust Suite for Privileged Password Management

Forrester & PwC show where Information Security is going

What's Up Doc?

Provisioning Cloud Services like Google Apps

Bridging Physical and Logical Security

Infinite Identities

Identity Proofing with IDology and Oracle Adaptive Access Manager (OAAM)

Oracle / ArcSight – Providing Real Time Oversight of User Behavior

Vordel Launches Cloud Service Broker

One More Time! Oracle Tops Gartners Provisioning List

Persistent helps organizations say Bye-Bye to CA SiteMinder

StrikeForce Technologies ProtectID® provides step-up two factor “Out-of-Band” authentication to OAAM

No More Tokens!!!

Oracle OPN Days - Virtual Event

Updated Oracle IDM Ecosystem

Symantec announces DLP powered by Oracle IRM

Oracle IRM and Symantec DLP integration announced

IRM at oracle.comOnline demonstrationDownloads on OTNTechnical white paperBusiness white paperThe official Oracle IRM Blog is available here or by looking through the archives.

Identity Management Partners making news at Oracle Open World

What is Consumer SOA? "COSA"

F5 Announces Plans to Unify Access Management for Web Applications

Symark is now BeyondTrust

Location, Location, Location!!!

Why the Public Sector needs Bio-Metric Solutions and how ORCL + Daon can help

Security solutions for misuse of information & entitlements

Cloakware and Oracle Work to Integrate Cloakware Password Authority with Oracle Identity and Access Management

Oracle Forms Oracle Identity Assurance Partner Alliance

IRM at oracle.com

Online demonstration

Downloads on OTN

Technical white paper

Business white paper

The official Oracle IRM Blog is available here or by looking through the archives.