And if there are any questions you want to ask me, then ask them during the webcast, or send them my way ahead of time via twitter.

Tags: Application Security, Application-Centric IdM, Service-Oriented Security

1. The answer cannot be easily guessed or researched [Safe]
2. The answer doesn’t change over time [Stable]
3. The answer is memorable [Recall-ability]
4. The answer is definitive or simple [Simplicity]

Good criteria to remember next time you are deciding between “What is your pet’s name?” and “What was the name of your first stuffed animal?”.

Of course, the service you are interacting with needs to allow you to choose from a large enough set or supply your own questions so you can adhere to this principle. And a highly sensitive application should go beyond just plain security questions. While most services are moving towards simpler yet more secure mechanisms – emailing the user short-lived password reset tokens, for instance – there are many cases where you still need a challenge-based mechanism (like when the forgotten password is the one used to access your email).

Knowledge-Based Authentication has gotten increasingly sophisticated over the last few years, and enterprises looking to leverage this can do better than just providing their users a few hard-coded questions to choose from. Oracle Adaptive Access Manager 11g brings features like Answer Logic (which employs fuzzy logic to increase the usability of security questions) and One-Time Passwords (delivered via SMS, email, IM or voice) into the mix, while also adding real-time risk analytics to make the overall process more secure, reliable, usable and cost-effective.

And all of this is delivered as a service so that enterprises can incorporate KBA into their various applications as needed. In fact, as part of the suite-wide integration design theme of Oracle Identity Management 11g, OAAM now has out-of-the-box integrations with Oracle Identity Manager and Oracle Access Manager. So if you deploy the suite, the real-time risk analytics and risk-based challenge mechanisms of OAAM are automatically leveraged by those other products. It is a sweet thing to behold.

Even as we sound out the call to kill passwords (an NPT for passwords; I like that), KBA will continue to be a critical tool in the identity proofing arena. So keep an eye out for all the innovation that will take place in this field.

Tags: Identity Proofing, Knowledge-Based Authentication, OAAM, OIM, Oracle Identity Management, Oracle Identity Management 11g, Password Management, Password Recovery Techniques, Security Questions, Service-Oriented Security

In a previous post, I described which IdM products were included in the first rollout of 11g last year. This phase includes the following products:

• Oracle Identity Manager
• Oracle Identity Analytics
• Oracle Access Manager
• Oracle Adaptive Access Manager
• Oracle Directory Server Enterprise Edition
• Oracle OpenSSO Secure Token Service
• Oracle OpenSSO Fedlet
• Oracle Navigator
• Oracle Enterprise Manager Grid Control Pack for IdM

As you can see, a major focus of this release (and a late add to the slate, I might add) was delivering on some of the promises we made to integrate the Sun IdM products into our portfolio. The other was to address customer concerns around manageability and usability of the products. If you saw the webcast, you saw the demos showing off the slick new desktop-like UI that the products are sporting, based on Oracle ADF. The shared services model removes inconsistencies between the different products in the suite, both from a behavior and functionality standpoint. And a lot of attention was paid to really ratcheting up performance to meet enterprise needs as they start to manage extranet environments in addition to their intranet environments.

In the coming weeks I and other bloggers in the Oracle IdM community will share a lot more detail about these releases. So stay tuned. In the meantime, check out the Fusion Middleware Launch Center, where you’ll find videos, data sheets, webinar’s, and white papers

Tags: Oracle Identity Management, Oracle Identity Management 11g, Service-Oriented Security

But the best part of the CAB was the response that our customers gave us for the upcoming Oracle Identity Management 11g release. No one is in a better position to judge whether we are delivering on what our customers need than the organizations that have been using our products for years now. We got positive affirmation that makes me believe that the focus we put on usability, manageability, identity services architecture and suite integration is going to pay off. The demo sessions were packed and warmly received, even running long because of all the discussions that ensued. And you know you did a good job when customers start to come up with new ideas that play off your new features instead of critiquing those features themselves.

Well, today is launch day, and finally the entire identity industry can see what we have been cooking and judge for themselves. To get started, you can check out the launch webcast today (Wednesday, July 21) at 10:00 a.m. PT / 1:00 p.m. ET. Our VP for development of Identity Management products, Amit Jasuja, will be providing a detailed introduction to this release, so register now. There will be a whole bunch of information being put up on oracle.com/identity. And if you are going to be at Burton Catalyst in San Diego next week, then you can stop by the Oracle hospitality suite (Wednesday, July 28 from 6-9 pm in room Aqua 308) and see demos of all the new products.

I can assure you that we build IdM products much better than we cook miniature ham croquettes minus the ham (you had to be there).

Tags: Oracle Identity Management, Oracle Identity Management 11g, Service-Oriented Security

Last year, as part of the Oracle Fusion Middleware (OFM) 11g launch, Oracle announced the availability of the first components of the Oracle IdM 11g suite, which included Oracle Platform Security Services (OPSS), Oracle Internet Directory (OID) 11g, Oracle Virtual Directory (OVD) 11g, and Oracle Identity Federation (OIF) 11g. OFM 11g provides a unified, standards-based infrastructure allowing customers to develop, deploy, and manage enterprise applications. As part of this, Oracle IdM 11g establishes Oracle Identity Management as a security development platform, delivering on our vision of Service-Oriented Security, and becomes Oracle Fusion applications’ de facto security infrastructure.

This next phase builds on that by focusing on enabling business agility in both the IT and Compliance arenas. Security needs to be agile to keep up with the demands of an ever evolving enterprise architecture, and this is best done through the service-oriented approach that 11g enables. And in this economic climate, being able to make your compliance initiatives sustainable and achieve ROI from your solutions is more important than ever. The innovation and enhancements that are coming in 11g are designed to help businesses struggling with the staggering costs and complexity of meeting emerging security and compliance mandates.

You can learn a lot more about Oracle Identity Management 11g in an upcoming launch webcast that Amit Jasuja, Vice President of Identity Management and Security Products, will be doing on Wednesday, July 21 at 10:00 a.m. PT / 1:00 p.m. ET. And if you are on Twitter, then you can submit questions for Amit prior to the event by marking them with the hashtag “OracleIDM”.

And, for my faithful readers, I will be blogging about the various innovations coming out of this release in the coming weeks. So tune in, through whatever channel you can.

Tags: Identity Management, Oracle Identity Management, Oracle Identity Management 11g, OracleIDM, Service-Oriented Security

Their solution was built around SmartSoft’s SRM (Smart Risk Manager) Fraud Management System and Oracle Adaptive Access Manager, our solution in the area of strong authentication and proactive, real-time fraud prevention. SmartSofts’ expertise in EMV and payment card systems means that they understand credit card fraud at a deep level. This understanding is the basis for the fraud controls that SRM introduces at the merchant and issuer sides, detecting fraud in real-time and taking just-in-time precautions and actions. The bank has been using SRM for over 2 years to secure their credit and debit card operations.

The Challenge

The bank wanted to bring the same level of fraud management that they had achieved with their credit and debit card operations to their internet banking channel. This would require understanding the mechanisms of internet banking fraud, enable comprehensive and automated tracking of online transactions, and use this to identify instances of frauds in real time. The bank also wanted to make sure that they fully complied with international and domestic regulations for internet banking.

The Solution

In order to do this, the bank worked with SmartSoft and Oracle to add OAAM Adaptive Risk Manager (ARM) into their fraud controls system. ARM is OAAM’s back-end, proactive real-time fraud detection product, providing a behind-the-scenes comprehensive anti-fraud software solution. ARM provides a strong second and third factor of security by verifying a host of factors used to confirm identity – from device characteristics (the computer and mobile device used to login) to a user’s location and online behavioral profiles. Adaptive Risk Manager can also trigger numerous actions based on its analysis, such as challenging or blocking the user.

For the deployment, the project team conducted a broad analysis of requirements in terms of internet banking fraud rules, and configured more than 50 OOTB rules in OAAM’s rule engine. They also developed an advanced scoring mechanism for real-time analysis of each transaction’s fraud probability, aimed at achieving a detection rate of nearly 99% of all fraud attempts.

An information channel was defined between OAAM and SRM, whereby the two systems can enrich each others decision-making data. For interactions originating in the internet banking channel, OAAM can calculate risk levels and notify SRM about high risk transactions. Conversely, SRM can send fraud data for risky transactions it encounters to OAAM for use in its behavioral analysis. This integration between the two systems makes the fraud analysis richer and more reliable.

On top of this, the bank’s fraud analysts are using existing reporting capabilities and Oracle BI Publisher for deep down reporting and trend analysis to identify zero-day fraud patterns. Case management also enabled the organization to take care of risky activities and provide flexible service to end-users in real time.

The Results

The bank deployed OAAM in just three months, providing the bank’s fraud analysts with comprehensive visibility and monitoring capabilities for internet banking transactions. With the deployment in production, the bank was able to achieve a previously unmatched level of security for internet banking and fully ensure Şekerbank’s compliance with international and domestic regulations. They were also able to realize a decrease in operational costs for surveying internet banking transactions of ~70%, as now only 2% of all transactions require manual control following a system alert.

It’s always good when you come across a success story like this one, and when especially when the project teams get the recognition they so richly deserve (but seldom get). Kudos to them on the success of the project and the award.

Tags: Adaptive Risk Manager, EIC10, EIC2010, European Identity Conference, Fraud Prevention, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Risk Management

Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

• In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
• Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Tags: Identity Analytics, Identity Governance, OpenSSO, Oracle Access Manager, Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Directory Server, Sun Identity Management, Sun Identity Manager, Sun Role Manager

It took so long, I think of lot of people thought this day was just a mirage. And unfortunately, the delay has cost us (in the identity management team) the opportunity to work with some great folks like Eve Maler and Pat Patterson. But now it is done, and the real work can begin as we start to lay out exactly how the IAM suites of the two companies – arguably the best in the business – will come together. It isn’t going to be easy, and our emphasis on our customers means that it can’t be quick, but the result should be great. In the Oracle+Sun strategy update this morning, Thomas Kurian gave the following overview on the Identity Management product strategy:

• Oracle Identity Management Suite continues as the strategic family of products, but Oracle will continue to invest in and share technology between Sun and Oracle products
• Both Oracle Internet Directory (OID) and Sun Directory Server will be supported, with common LDAP administration through our DS Management tools. Oracle will continue to maintain OpenDS
• Sun Role Manager will become Oracle Identity Analytics, the strategic identity analytics tool
• Oracle Identity Manager, Oracle Access Manager, Oracle Virtual Directory, Oracle Entitlements Server and Oracle Identity Federation continue as Oracle’s strategic products for their respective areas, with technology incorporated from Sun
• Oracle will invest in Sun Identity Manager and integrate it with Oracle Identity Manager
• Oracle will also invest in Sun OpenSSO and integrate it with OAM

Of course, the devil is in the details, and I expect that the coming weeks and months are going to be a little crazy as those details are laid bare. Planning has been going on for a while, and now those plans can finally be communicated and the ramifications thrashed out. That should provide a fair amount of fodder for discussion in the blogosphere and twittersphere (so stay tuned). I’ll try to provide some information here as and when it can be made public.

And a warm welcome to all my new colleagues from Sun. Buckle in for what should be a very interesting ride. I’ll be at Oracle HQ in a couple of weeks to participate in some of the planning and discussions that will be happening. So if you will be around, then lets meet up.

Tags: Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Identity Management, Sun Role Manager

The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Amit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

One of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Tags: Identity Assurance, Identity Controls, OOW09, Oracle OpenWorld, Risk Management

Oracle’s big shindig is the place to come to if you want to find out about all that is going on in the world of Oracle. And this year is no different. The conference is bigger than ever (I hear upwards of 43,000 will be attending), and there will be some big announcements at the keynotes. Oracle Identity Management will be well covered at the show, both on the demogrounds and in the many sessions, where IdM got its own track.

Not surprisingly, I will be speaking on the topic of Identity Services. My 3rd session on the topic continues the discussion I started 2 years ago in a session on application-centric identity management. If you are going to be at OpenWorld, then definitely come check out my session, as I delve into the practicalities of building an Identity Services Platform for your enterprise.

Session ID: S298923
Session Title: Building an Identity Services Layer with Oracle Identity Management
Venue: Marriott
Room: Golden Gate C3
Date: Wednesday, 24th September 2008
Start Time: 09:00 am

During the session, I will present how one can go about deploying identity management in a way that enables the development of identity-enabled applications. I will also discuss some of the things I have learnt from participating in Burton Group’s Identity Services Working Group, my many conversations with the identirati at Catalyst and DIDW this year, and from my continued involvement in Project Fusion, which lays down the architecture for the next generation enterprise application. Unfortunately I drew the short straw and got the 9am shift, so there are sure to be people who won’t make it as they recover from their shenanigans the previous night. Hopefully I will still be on East Coast time, and sufficiently caffeinated

And as always, I will be twittering my observations from OpenWorld in real-time, so be sure to follow me for the latest. I hear there will be a number of interesting announcements.

See you in San Francisco.

Tags: Oracle Identity Management, Oracle OpenWorld