BT (Robert McCausland & Peter Boyle) and Oracle (the ever dapper Christian Patrascu) accepting the European Identity Award from Martin Kuppinger & Tim Cole

The Solution

BT MFR brings together a comprehensive suite of fraud reduction capabilities under a single service. Device recognition, location recognition, behavior recognition and comprehensive policy enforcement through a customizable ruleset (powered by Oracle Adaptive Access Manager) provide granular risk assessments, returned in real-time so that even digital services requiring instantaneous delivery can be risk assessed for suspected fraud.

This functionality is all strung together and orchestrated by an Oracle Service Bus and accessed via web service calls. The routing and transformation layer that OSB provides allows for the augmentation of all the transaction data presented which can subsequently be used in a much richer risk assessment. The sources of such checks could be external URU or internal to the enterprise based on intelligence they’ve built up over years.

Risk assessments from multiple services can thus be aggregated to provide a single response to the protected application, containing all the information required to determine whether any transaction should continue forward.

Thanks to this unique design the service is also able to evolve, with new services integrated into the overall risk assessment procedure as they become required or available, without impacting the single web service call that the customer needs to access this battery of anti-fraud protection.

The Benefits

BTs Managed Fraud Reduction service has brought together a unique set of capabilities that address online fraud in ways that adapt to the organizations specific needs:

• Most online retailers cannot afford to issue password generating tokens to a fickle and ever-changing user-base. so a risk assessment based on transaction parameters such as device recognition and location provides a different way to achieve greater security.
• Online retailers providing digital goods or services cannot wait until shipping to review transactions (as delivery is immediate) so a system based on real-time assessment is greatly beneficial.
• Financial service providers need to assure funds transfers and payments within increasingly short windows (due to regulations such as ‘Faster Payments’) so real-time responses are essential.
• Gaming and leisure services are reliant on age-verification, so require identity verification score aggregated with the normal risk assessment. MFR allows the integration of such additional web services and will launch with BT’s URU identity verification available as an option.
• With the BT MFR service in place, customers can demonstrate to auditors that fraud prevention strategies are in operation and as a cloud service allows them to demonstrate this at a fraction of the cost compared to a self build strategy.
• With a robust fraud solution in place, customers can demonstrate to merchant acquiring banks that liability has been reduced.
• The architecture removes the need for the customer to contract separately with multiple vendors providing identity and fraud related services.

Addressing all market sectors and territories, fully customizable and simple to use, BT Managed Fraud Reduction service is an evolving one-stop solution to the ever-changing challenge of online fraud. And Oracle is proud to be a part of the solution.

Tags: BT, EIC11, European Identity Award, European Identity Conference, Fraud Prevention, Identity Proofing, Managed Fraud Reduction, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Oracle Service Bus, Oracle_IDM, Risk Management

In this adaptation of the talk I gave at the Gartner Summit, I lay out how identity management, data mining, business processing and analytics come together as Identity Intelligence to address enterprise needs for greater transparency, compliance, risk management and business decision support. Check out the slidecast, which clocks in at a comfortable 20 minutes or so, and learn how we are bridging the divide between IT and the Business, and making security smarter.

Tags: Gartner IAM Summit, Identity Analytics, Identity and Access Intelligence, Identity Intelligence

The deck I presented (with audio) is below. Check it out and leave me your comments.

Tags: Entitlement Management, Identity Services, Security Architecture, Service-Oriented Security

I’ll be kicking off things alongside Vipin Samar and Jeff Margolies on the keynote panel “2011: Information Security Trends for the Next Decade“. And throughout the event, Oracle security solution experts will be on live chat event to answer your toughest questions. I’m only going to stay on for a little while after the keynote finishes, so be sure to join on time if you want to grill me.

Register to attend this online event and find out how you can take a proactive approach to secure your enterprise.

Tags: Conference, Enterprise Identity, Identity Management, Oracle Identity Management

The 3 case studies presented deal with one issue: Privileged IT Administrators who have complete access to systems, and use it to either systematically abuse your trust or wreak havoc when provoked. In every case, the damage to the organization was substantial, and the steps needed to recover were extreme (I especially liked one companies solution to their potential hostage crisis: put the guy on a cross country flight, and use those 5+ hours to change all the passwords).

It has been well understood for years that insider fraud is a far bigger threat to organizations than anything that could be done from the outside (barring specific domains like national security). Not only do system administrators usually have complete access, but they can move around your network with impunity – no auditing, no oversight, no accountability. In effect, the IT environment that you spend so much time locking down has a wide open backdoor that can be exploited by a small but highly skilled populace to do significant damage. And when you broaden your view a bit, you find that this goes beyond just the system administrators to other “trusted” users as well – employees that use shared, highly privileged accounts to execute transactions that are sensitive and crucial to the business, but could also be abused.

Organizations that take a comprehensive and holistic approach to identity and access management can protect themselves against the possibility of these sort of nightmare scenarios playing out. While the article outlines some basic HR type steps that organizations can take, like better background checks, it doesn’t go into any specifics about how a properly defined identity management program can help in mitigating these risks. So how can IdM address some of the issues brought out by the article? Let’s review.

1) Strengthen Your Core

The core of identity management – SSO, identity administration, provisioning (including de-provisioning) – is obviously essential. Within that, it’s important to realize that one reason shared accounts proliferate is due to its convenience and expediency, because no one wants  the overhead and pain of getting properly privileged accounts. But a well designed access request system, with intuitive self-service, adequate workflow and policy controls and the right level of automation will help organizations avoid slipping into shared account hell – by empowering users without sacrificing security.

2) Avoid Excessive Privilege Accumulation

The article points to classic “privilege escalation” as a culprit, where users are given additional privileges to deal with short term project needs, but then those privileges are never taken away after the need goes away. Over time the user accumulates a large set of privileges that not only allow them to continue to do things long after they should no longer be able to, but can can create a toxic combinations of privileges that gives them the ability to take actions that should never be allowed by policy.

There are a few things you can do to address this problem. First, your identity administration system should support time or context bound privilege escalations. If a user is being given additional privileges because of a specific need, make that grant role-based or time-bound. That way, when the conditions that led to the privilege escalation expire, those privileges get taken away and are not left with the user. Second, make sure to leverage Separation of Duties (SoD) policies, so that you can detect and therefore prevent situations where a privilege grant is going to result in the user having an undesirable combination of entitlements that could be abused. This would be leveraged not only during the initial privilege grant to alert someone with oversight responsibilities (like a manager), but also during an entitlement review, which is the third mitigating control. Periodic entitlement reviews are now essential to combat privilege accumulation and also prove compliance. And entitlement reviews that get triggered when events such as privilege escalation occur not only help in keeping people focused on the problem (instead of it getting buried in the details), but also let your people know that they are being monitored. Getting in-depth and comprehensive insight into your IT environment is key to managing excessive privilege accumulation.

3) Make your Access Context-Aware

This is where we think the future of identity management is headed. Two of the scenarios outlined in the article describe situations where the privileged employee decided that they were going to take drastic action to inflict maximum damage on the company. By profiling the behavior of the user, and comparing the users actions to established patterns, you can detect anomalies that would indicate that some kind of fraudulent activity is underway. The article also talks about “Sally” taking her laptop home and still being able to use high-level privileges. But if your access management system can leverage environmental variables like device IDs, network profiles and IP geo-location as part of its authorization context, then it can limit the use of elevated privileges when the right conditions are not met.

In all these cases, the IdM system, having detected potential fraud, now has the ability to initiate corrective action, like elevating the monitoring of the user activity, up-leveling the assurance of the identity in play by asking additional authentication questions or presenting 3rd party or application data that only the correct user could verify, and even outright denying the user access. By monitoring the full picture of what is actually occurring in real-time, you can detect or prevent fraud. And you can do it without negatively impacting the user experience. In effect, the access adapts dynamically to the user behavior and the risk level of the transactions.

4) Protect Your Keys to the Kingdom

The article points out that “threats from privilege-laden IT employees are especially hard to detect. For one thing, staffers’ nefarious activities can look the same as their regular duties”. And when you have multiple people in the IT staff who know how to utilize these system accounts, it’s hard to pinpoint the exact perpetrator of the actions. That’s why using a Privileged Account Management system is so important. By putting a control system around the most sensitive and powerful accounts that an organization has, you can make sure that you are never going to be in the situation where an employee can hold you hostage. Administrators can no longer go in and change the passwords without the organization knowing, all their activity can be monitored and traced, and their access to the privileged accounts can be cut off in one fell swoop (instead of having to put them on a plane ride to California).

5) Protect Your Data

Sounds obvious, right? But the fact that the current state of affairs means that your DBA can go in and “download 400 customer credit card numbers from your e-commerce server” is all too common. Your database cannot be overlooked in your access management strategy. Organizations need to ensure that their privileged users and DBAs are restricted from accessing sensitive application data, despite having high-level privileges on the database. They need to implement controls to enforce separation of duties and also use solutions like transparent encryption to protect data against unauthorized access by OS level users. And they need to monitor their database configuration on a continuous basis, and audit their users to know who did what and when for accountability.

The Right Tools Make the Plan

The article correctly points out that technology is not enough. “It’s a combination of technical safeguards and human observation that offers the best protection, says CERT’s Cappelli”. On the identity management side of things, however, there are a number of things that organizations should be doing that they don’t. And by putting in place this kind of comprehensive identity management program, with the right controls that constantly optimize and enforce policies that mitigate risk, an organization can help the people in charge be informed, aware, alert and in control. And that sounds like a plan.

Tags: Adaptive Risk Manager, Audit Vault, Database Security, Fraud Prevention, Identity Analytics, Oracle Adaptive Access Manager, Oracle Identity Management, Privileged Account Management

But there is a catch. One of the benefits that enterprises frequently consider when going with a SaaS application is the fact that the user does not have to be within the corporate network to access these systems. These systems can be accessed from any computing device, so long as it has an internet connection. It could be the computer in the hotel business center, or a laptop borrowed from a friend. But in an SSO-protected world, no one knows their application specific passwords any more (by design). So how can a user access the SaaS application if they do not know their password?

Yes, I know that we want to kill passwords (multiple passwords, to be precise. And I am all for it). But the day when enterprise will allow users to come in and use their own OpenIDs is still somewhere in the murky future, and we need a more practical solution pretty much right now.

Single Sign-on From Anywhere, To Anywhere

December was a heavy travel month for me, between work travel and vacation, and I actually encountered this problem a couple of times. So I thought I’d use my first post of 2011 to highlight this very real challenge that enterprises are starting to face, and describe a little known solution we have (thanks to the Passlogix acquisition). Oracle Enterprise Single Sign-On Suite Plus or Oracle ESSO (formally Passlogix v-GO) provides seamless SSO to a wide range of enterprise resources through the use of a desktop agent that manages all of the user’s account names and passwords on their behalf. Applications, including SaaS and Web resources, are recognized when they are launched based on their unique attributes, and the correct access credentials are supplied to each as required, transparent to the user.

Oracle ESSO solves the specific challenge posed above through on-demand functionality called Oracle ESSO Anywhere. When deployed, ESSO users can download a transient version of the agent by clicking on a website link. The user is now able to access the SaaS applications with the same protections afforded by the permanently installed agent inside the enterprise. An added benefit is that this also helps protect against users exposing passwords to threats that capture input directly from the keyboard (keyloggers). When the agent is shut down, the on-demand software removes all traces of the ESSO application and the user’s application credentials, ensuring that security is maintained.

Oracle ESSO Anywhere

Cool, right? I wish there was a personal edition of this that I could use for all my web-based services. This also highlights another aspect of identity management that is top of my mind as we start a new year. Enterprise environments are evolving rather rapidly, so it’s important to make sure that the solutions you deploy can adapt to your changing environment. As access to your resources evolves beyond the desktop to the myriad of computing devices (smartphones, tablets like the iPad, etc) “infiltrating” your enterprise, we’re going to see significant changes to traditional IdM. And that’s a good thing.

Tags: Authentication Management, Cloud Security, ESSO, Oracle ESSO, Oracle Identity Management

Somehow, I’ve been added to the agenda, to speak about Oracle Identity Management and how it can be used to meet the requirements of the Federal ICAM initiative. It’s a topic that I’d love to do a deeper dive on, and this session has provided me the opportunity to get a little more familiar with it.

There is still time to register for the event, taking place at the Washington Marriott Wardman Park. Just click here to see the details and register. And if you’ll be there and want to connect, then just drop me a line/tweet/comment/email.

Tags: FICAM, ICAM, Oracle Federal Forum, Oracle Identity Management

• Google recently introduced two-factor authentication for Google Apps. The mechanism they chose to employ relies on a one-time password token delivered to a cell phone either by an SMS text message or a call to the phone (anyone that has signed up for Google Voice and tried to add a phone number will be familiar with the call-based mechanism). Google combines the OTP mechanism with device authentication (“trusted” devices like a desktop computer won’t require the second factor, while a work laptop that can get stolen, and therefore misused, will). So enterprise use of Google Apps just got a lot more secure.
• Meanwhile, Windows Live has introduced essentially the same mechanisms in their account recovery process for Hotmail accounts.

These recent developments provide very good proof-points for how multi-factor authentication can easily be incorporated into IdM programs in a user-friendly manner. As part of the Oracle Identity Management suite, Oracle Adaptive Access Manager provides enterprises the capability to roll out the same features (among many others) as part of their access management program, giving them the ability to leverage two-factor authentication in a simple form factor.

OAAM Support for Multi-Factor Authentication

In fact, the ability to step up authentication using different channels as part of a risk-based identity management program that takes device identities into account was a major component of a demo we did last week at OpenWorld. The demo, in IdM VP Amit Jasuja’s session on “Oracle IdM 11g Review & Future Directions”, highlighted the potential for identity to power the next-generation mobile workplace. The basic idea was that any time a transaction is identified as being high risk (a user modifying core privileges of a role, doing an in-application privilege elevation request, or accessing the application from a previously unused computer), the access management system can force the user to re-authenticate to the system using a mechanism that is distinct from what they used initially (like logging in using SSO).

The key differentiator here is “risk-based“. While OAAM can provide enterprises a cost-effective alternative to hardware token based MFA, it doesn’t stop there. It also allows enterprises to bring in advanced real-time risk analytics, proactive actions, investigation tools and robust customizable reporting. The result is a comprehensive tool for managing security and risk as part of your enterprise’s overall identity management and governance programs.

Tags: Authentication Management, Google Apps, Multi-Factor Authentication, One Time Password, Oracle Adaptive Access Manager, Strong Authentication

In my session, I talked about how, thanks in large part to the emergence of cloud computing, enterprises are moving towards a borderless IT infrastructure that is going to change how security is done. The traditional mechanisms of security that are built on topology are going to have to be replaced by a security architecture built on the constant that can actually flow across domain boundaries – identity.

Yoda himself made an appearance to make the point.

My presentation was divided into a few parts:

• I revisited the issue of security in cloud computing, in particular highlighting specific areas that need to be addressed.
• I talked about the foundational elements to building an identity-based security model for your cloud environment, and how to evolve that into a full-fledged platform for your cloud applications.
• I also talked about the products and capabilities available in the Oracle Identity Management 11g suite, and some of our future plans aimed at specifically addressing the cloud.

You can check out the presentation below (I hope to add the session audio to it at some point).

Tags: Cloud Computing, Cloud Identity Model, Cloud Security, OOW10, OpenWorld, Oracle Identity Management, Oracle OpenWorld

Oracle Security Governor for Healthcare is a governance solution that is aimed specifically at healthcare organizations, where the introductions of various regulations globally and the transformation of healthcare IT has created a number of challenges in the area of patient confidentiality that need to be addressed.

• VIP record snooping
• Medical identity theft and fraud
• Healthcare data theft and fraud
• Coworker, family member and neighbor record snooping

Oracle Security Governor for Healthcare addresses these concerns by providing a solution that helps proactively protect and prevent privacy and security breaches, insider snooping and medical identity theft in an organization. The solution is based on some key features:

• Rapid Incident Detection: Criteria based automated reporting functionality that allows rapid incident detection, case management and investigations.
• Automated Privacy Audits: Allows audits on activities of various entities accessing the applications and reports suspicious activities.
• Accelerated Enterprise-wide Data Retrieval: Allows rapid integration with existing systems.

Architecture

Oracle Security Governor is built on some key products in Oracle’s portfolio, enhanced with some healthcare specific intelligence and artifacts.

Oracle Security Governor for Healthcare Architecture

• Oracle Security Governor for Healthcare leverages the Oracle SOA Suite Adapters (like Database, Log and HL7 adapters) to pull data in from virtually any data source into a central data warehouse.
• In-database data mining and predictive analytics built using Oracle Data Mining is used to detect anomalies and suspicious activity that may have taken place in the past.
• The solution also uses an advanced risk assessment engine (based on Oracle Adaptive Access Manager), which has been pre-loaded with healthcare specific risk and fraud rules to proactively detect incidents.
• Oracle Entitlement Server provides unique risk-aware fine grained authorization on record and data access, cutting down the possibility of unauthorized activity and fraud.
• Finally, Oracle Business Intelligence Publisher is used to provide insight into all of this through risk analytics, reports and alerts.

Benefits

Oracle Security Governor helps deliver significant benefits to a healthcare organization. Some of these benefits include:

• Historical Detection: that can be used as audit trails and for detection of suspicious activities related to access, privacy, fraud and security breaches, that have taken place in the past.
• Real Time Detection: Oracle Security Governor can also be used to detect suspicious and fraudulent activity, in the real time.
• Real Time Prevention: Oracle Security Governor can prevent suspicious activities, in the real time. The activities detected as anomalous or suspicious can either be completely blocked or the end-user can be alerted or required to meet additional security requirements, depending on the deployment needs.

Oracle Security Governor for Healthcare Benefits

Looking Ahead

Oracle Security Governor for Healthcare is just the beginning. In the future, Oracle hopes to use the Oracle Security Governor framework to build more solutions that address challenges faced in other verticals besides healthcare. But that doesn’t mean you have to wait – you can leverage the products mentioned above to build your own security and privacy solutions. Just ask us how.

You can find more information about Oracle Security Governor for Healthcare here on the product page.

Tags: Healthcare IT, Healthcare Security, Identity Analytics, Identity Governance, OOW10, Oracle Identity Management, Oracle OpenWorld, Oracle Security Governor, Oracle Security Governor for Healthcare, Privacy