Oracle Identity Federation 11g is Now Live

We launched Fusion Middleware 11g today. It's not just announcements - the software is ready to download.

There is more information on the updated Identity Management site.

It's a major milestone for Oracle Identity Federation reflecting over 2 years of work.

So what is new?

First - all 11g Identity Management components are now integrated with Enterprise Manager Fusion Middleware Control (EMFMC). EMFMC provides customers with operational monitoring (is the server up/down, how is it performing) and is the single point of access for logging and auditing.

Second - Oracle Identity Federation now is a J2EE app and comes deployed on Oracle WebLogic Server 10.3.1 OOTB.

Third - we introduced a new unified architecture across all protocols - Oracle Universal Federation Framework. It is much easier now to plug the OIF into existing environments and to build integration extentions.

To learn more about the benefis of the new version, visit the product documentation site.

Over the next few posts - I will continue to provide more information of OIF 11g.

New OAM 10.1.4.2 Certifications Released (June 2009)

The following new OAM 10.1.4.2 Certifications have been released:
1) Oracle HTTP Server (OHS) 10.1.3.4+ v2.0 (64-bit) WebGate for HP-UX Itanium 11.23 and 11.31
2) Lotus Domino Web Server 8.5.x (64-bit) WebGate for Windows 2003 EE SP2+ and Windows 2008 EE - x86-64 hardware
3) Sun Java Webserver 7.0.x (64-bit) WebGate for Solaris 10 (64-bit) - SPARC S2 hardware

Additional Resources:
OTN (download) location
OAM 10.1.4.x Support matrix location
OAM 10.1.4.x Package list location

Authentication and Authorization - Identity Services in OAM and/or OES

Recently, the question came up on how to expose authentication and authorization as identity services inside of the Access Management Suite.

Two solutions:

OES - Web Services SM configured with OAM SSPI Connector
OAM - Access Management - ASDK - with custom web services wrapper

Both definitely good choices. A few quick thoughts on when each would be appropriate.

OES WS SM can be configured with OAM SSPI connector to consume OAM sessions - ObSSO cookies, but it can also be configured to consume SAML Assertions. It can be configured to return, in response to an assertIdentity call different types of tokens, including a SAML assertion. On the authorization front, OES does fine-grained authorization. The Web Services wrapping the Java API is what it is - works well, but is not integrated with any container. It also exposes a standard authorization service with XACML.

OAM with custom web services wrapper works with ObSSO cookies and focuses on coarse grained authorization, like what is typically required for URLs. The Web Services implementation, since its built on-top of the container is integrated. Also, its very simple to take a POJO and turn it into a fully functioning web-service.

So, basically if you need to extend OAM to have a SOAP interface for authentication and coarse-grained authorization, wrapping the ASDK in a web-service seems like the way to go. If you need more of a heterogeneous implementation which is expected to integrate using standards like SAML and XACML and has fine-grained authorization requirements, then the OES WS SM solution makes the most sense.

Using OES to Secure POJOs - Fact or Fiction?

In providing access control, there are two "main" functions - policy enforcement and policy evaluation.

The Policy Enforcement Point (PEP) intercepts the request and asks the Policy Decision Point (PDP) to evaluate the request. The PDP responds - yes/no - and then the PEP either lets the call continue or blocks the request. A good example of this whole model can be found in the XACML spec.

So, when looking at the question "Can OES be used to secure POJOs?" we need to looks at both parts of the model - PEP and PDP.

On the PDP side, OES is sufficiently flexible to perform the task. The OES resource model allows for a hierarchal names. This maps nicely to Java class names:

//resource/com/foo/Customer

Using this model, you could write policies to block access to packages or classes - sorta useful. But probably not the main case. What about methods? There are really two choices here. The first is mapping the method invocation to the action.

//priv/getBalance //resource/com/foo/Customer

The second is going with a generic action and putting the action as the lead note of the resource:

//priv/invoke //resource/com/foo/Customer/getBalance

The latter makes it easier to write policies for "all actions on an object".

Now, what about access control at the instance level? I want to write a policy that says that 'Joe can get the balance of the customer if the customer is in state="MA"'

grant (//priv//invoke, //resource/com/foo/Customer/getBalance, //user/foo/Joe) if state="MA"

Makes sense, but how does OES get the state of the customer object?

OES has the ability to pass information from the PEP to the PDP. This includes Java objects. Either the PEP could use Java reflection to pass the attributes or the PEP could pass the instance (assuming its serializable) and OES could use attribute retrievers to get the values from the instance.

In a previous post, I discussed customers' desire for PEPs (Policy Enforcement Points). So, how would you go wire this in?

It depends on what container, if any, you are using. With no container, you need to look at AOP to insert these calls pre-method. In spring, you could do this with ACEGI + OES. If you are willing to make some small code changes, maybe look at securing the classes with custom java Permissions.

In my experience, I haven't seen a need for securing all POJOs. If this is the case, then use Java Security and custom permissions. What I have seen is the need to secure a small number of very sensitive classes. In this case, look at what the container provides, or possibly modifying the class to explicitly call to OES.

Oracle Enterprise Single Sign-on Suite version 10.1.4.1.0

The new version of the Oracle Enterprise Single Sign-on Suite version 10.1.4.1.0 is officially released and is posted to OTN for download. Check it out.

Product Download on OTN : http://download.oracle.com/otn/nt/ias/101401/as_windows_x86_esso-suite-multi-language-101410.zip
Docs for 10.1.4.1.0 : http://download.oracle.com/docs/cd/E12472_01/index.htm

Here are some of the new features in this release that is worth exploring

• New ESSO-LM User Interface
• Updated Change Password User Interface
• Administrative Improvements
• Notification Service
• Do not Add Predefined Templates to Bulk-Add by Default
• Avoid Sending Admin Overrides for Certain Registry Keys
• Domain Password Validation for Credential Sharing Groups
• Infrastructure to Support Reporting Server
• Authentication Enhancements
• New Windows Logon v2 Installer Options
• Network Provider Support for Windows XP and 2000
• Share Authenticator Credentials with Synchronizer
• LDAP v1 Logon Method now supports multiple Active Directory domains.
• Newly Supported Systems
• PuTTY v0.60
• Newhart Systems BLUES 2000
• Jolly Giant QWS3270 PLUS v4.4
• Mozilla Firefox 3.0
• Siemens DirX Directory v8
• IBM Lotus Notes 8.0.1

BT and Oracle: Managed Fraud Reduction Service

British Telecom and Oracle are working together to help customers prevent fraud and verify identity with a combined solution. The combination of the real-time behavioral profiling, transaction analysis and identity verification make MFR a powerful and complete solution for customers in many different verticals. Here are some good articles written recently about this unique new offering from two industry leaders.

http://www.anti-keylogger.org/news_world.cgi?id=5356
http://www.pcw.co.uk/vnunet/news/2241280/bt-unveils-managed-security
http://uk.news.yahoo.com/16/20090428/ttc-infosec-2009-bt-unveils-managed-secu-6315470.html

Standard Life Chooses Oracle IdM

CBR Online posted an interesting article about Standard Life's decision to use Oracle access management products to secure it's sensitive applications. Standard Life will be using OAAM and the other access products to protect both customer and employee facing applications. Read the article...

http://www.cbronline.com/news/standard_life_to_roll_out_oracle_id_190209

Fraud Flash for the week of December 1, 2008

Dec. 1, 2008
'Perfect storm' Conditions line up for identity theft
http://www.elpasotimes.com/ci_11108752?source=most_emailed
From 8.5 million to 11 million U.S. consumers become victims of identity theft each year, depending on the estimate you use, said Levin, the former director of the New Jersey Division of Consumer Affairs.

Phishing Attacks Set New rerecords During September-October 2008
http://www.spamfighter.com/News-11380-Phishing-Attacks-Set-New-rerecords-During-September-October-2008.htm
A researcher at internet security company, Cyveillance, claims that in the past 60 days (September-October), phishing attacks have set new records in terms of frequency and volume, as reported by darkreading on November 17, 2008.

iDefense - Phishing E-mails Become More Sophisticated & Stealthier
http://www.spamfighter.com/News-11378-iDefense-Phishing-E-mails-Become-More-Sophisticated-Stealthier.htm
According to the statistics given by the company, within a span of six seconds, a new malware gets ready to be installed on the system. Once installed, it becomes extremely difficult to detect it, which, in turn, makes way for a spear-phishing attack.

OSU’s Students & Staff Targeted by Phishers
http://www.spamfighter.com/News-11379-OSUs-Students-Staff-Targeted-by-Phishers.htm
The spoofed e-mail asked the recipients to log-on to a fake website to catch the current news and information about OSU and directed users to the virtual webmail page of the university. As soon as the page is logged-on, the victims were directed to Ohio State Newark web page. This page is utilized to archive the passwords and usernames of the visitors that can be sold to the criminals.

Variations on a Theme: SOA Security Best Practices

Since posting at OOW, I've had a few follow-up discussions - inside and outside or Oracle - about the architecture I presented there. I think the main point I wanted to convey was that there is not a one size fits all for SOA Security - or any security for that matter. That having been said, I would like to comment on two variations which have been suggested.

1 - Instead of using OWSM to protect an end-point could I use OSB?

OWSM (Oracle Web Services Manager) and OSB (Oracle Service Bus) are complimentary technologies. This is not exclusively an either or situation. For example, for public facing web-services, using OWSM to protect the perimeter makes sense. This is the SOA equivalent of using Web SSO (like Oracle Access Manager) to ensure only authenticated traffic accesses the network. Assuming that the services are hosted in OSB, and accessible from inside of the network, it makes sense to have some security on these services as well. In OSB, different proxy services can have different security policies even though they point to the same business service.

So in summary, I could have used OSB instead of OWSM+WLS in my OOW demo. I could have also used both. The scenario was an employee intranet calling out out-sourced HR provider. That HR service publicly exposed on the internet make sense for OWSM+OSB architecture described above.

2 - Instead of using SAML to pass identity from application to could I use my Web SSO token?

In the demo, I used the Credential Mapping capabilities of WLS to generate a SAML assertion, but what if you're running on a container/Web Services client stack that doesn't have that feature? Is there any issue with just passing the SSO cookie in the HTTP header or as part of WS-Security using BinaryToken profile?

There are two separate issues here - the first is the quality of the token (Web SSO vs SAML) and the second in message level security.

Both SAML and Web SSO cookies have some ability to prevent being re-used unauthorized ways - IP Address Checking or Audience restrictions - and have some notion of timeout - Session Timeout or Validity periods. I think one issue when choosing SAML vs. Web-SSO is the duration of the transaction. For example, in the demo, let's assume that the large raise service required approval. In this case, by the time the transaction is approved, it's quite likely that the Web-SSO ticket has expired. A SAML assertion generated for the specific purposes of the transaction could have a longer validity period - weeks. Regulations like PCI require sessions to timeout in 15 minutes.

Regardless of token, to ensure that the credentials are not mis-used, the digitally signing the message essentially "staples" the credential to the message. Taking the credential and adding it to a different message will not work. This ensures that the token - SAML or otherwise is used appropriately. This and other techniques are covered in some detail in the WS-Security SAML Token Profile.

So, in both of the two variations, the answer is "it depends". I wish it was more straight-forward, and I had some universal best practices. I'm happy to share my thoughts on this blog or elsewhere - preferably some place warm :)

Fraud Flash for the week of November 17, 2008

Oct. 24, 2008
'Phishing' fraud e-mails hit Huskymail accounts
http://media.www.dailycampus.com/media/storage/paper340/news/2008/10/24/News/phishing.Fraud.EMails.Hit.Huskymail.Accounts-3505114.shtml
Over the last couple of months, an e-mail fraud attempt known as phishing has hit the university's e-mail server, putting thousands of students at risk, according to a report released earlier this week on the university's information and technology security Web site.

Nov. 17, 2008
Celent Tackles Insider Fraud
http://www.americanbanker.com/btn_article.html?id=20081029IGFNE94L
Insider fraud accounts for 60 percent of bank fraud cases where a data breach or theft of funds has occurred, yet in the last three years, just nine percent of financial services data breaches were a result of insider fraud.

ID Thieves Are Targeting Home Equity Lines
http://www.foxbusiness.com/story/personal-finance/id-thieves-targeting-home-equity-lines/
The FBI says HELOC thieves typically use stolen identification to apply online for a line of credit in your name. Then they instruct the bank to wire the funds to their accounts, providing their own contact information in place of yours.

Oracle Adaptive Access Manager 10.1.4.5 (10gR3)

Oracle Adaptive Access Manager provides real time and offline context aware risk assessment, multi-factor authentication and authentication process hardening for enterprise and consumer web applications. Adaptive Access Manager makes it safer for all types of businesses to expose sensitive data, transactions and business processes to consumers, remote employees and partners.

I'm pleased to announce the release of OAAM 10gR3. This release contains a lot of exciting new enhancements that the market has been asking for. Increased effectiveness, ease of use, and adaptability were the main themes of this release. The major areas of enhancement are globalization, behavior profiling, investigation tools, dashboard, reporting, proxy support, configurable actions and the administration interfaces.

1. OAAM 10gR3 has been localized for the standard set of languages supported by Oracle products. Specifically, Adaptive Risk Manager supports the nine standard administration languages and Adaptive Strong Authenticator supports the twenty-six standard runtime languages.
2. Behavior profiling uses administrator defined patterns to profile the behavior/activity of entities such as users, devices, IPs, shipping addresses, credit cards, email addresses, etc. The rules engine uses the profile data to evaluate the risk level of a situation based on comparisons of "normal" activity for the individual entity and all entities of the same type.
3. The new agent cases make forensic investigations quicker, easier and more successful. Events can be configured to create a case automatically. An investigator can quickly view the data involved in an incident and quickly locate related situations by easily harnessing the complex data relationships captured by OAAM.
4. The dashboard has expanded performance statistics and summary data as well as enhanced trend graphing capabilities.
5. A limited license of Business Intelligence Publisher is now included with OAAM so reporting can be fully customized to meet customer requirements. A collection of out of the box templates are provided that can be used as is or altered.
6. An Apache version of the "Universal Installation Option" reverse proxy is now supported to provide an alternative to the MS ISA proxy.
7. New configurable actions allow for customizations and integrations previously not possible. Custom code can be called directly by the ARM rules engine. This capability opens the door to almost unlimited possibilities.
8. The enhanced administration interfaces allow access to functionality previously available only to developers programmatically. The rule template editor allows a non-developer to create, edit and delete rule templates completely in the GUI. The transaction configuration screens allow the definition of a transaction and it's constituent data elements. As well various environment configurations are now exposed in the UI such as logging, properties and enumerations.

You can learn more about OAAM here

You can download OAAM here

Fraud Flash for the week of September 29, 2008

Sept. 30, 2008

Identity theft victim wins right to sue county clerk over posting of personal data

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115900&intsrc=hm_list

An Ohio woman whose identity was allegedly stolen after an image of a speeding ticket containing her personal information was posted on a county government Web site can sue the county official responsible for putting such records online, a state appeals court in Cincinnati ruled last week.

Oct. 1, 2008

Online fraud rises by 185 per cent

http://www.timesonline.co.uk/tol/money/consumer_affairs/article4860081.ece

The amount of money lost to internet fraudsters specifically targeting banking customers rose by an alarming 185 per cent in the first six months of 2008 because of an increase in phishing attacks and spyware scams, according to Apacs, the payment industry association.

Online fraud nearly doubles in just 12 months!

http://financialadvice.co.uk/news/3/householdbills/8057/Online-fraud-nearly-doubles-in-just-12-months.html

If ever there was a sign that we are in real trouble with worldwide economies it is the massive growth in online fraud as more and more people throw their common sense out of the window and chase an array of free money, gifts and other such prizes.

Oct. 2, 2008

New phishing attempt targets bank customers

http://news.cnet.com/8301-1009_3-10057180-83.html

Many people are wondering what to do now that their bank has been acquired in the wake of the lending crisis. Well, whatever you do, don't click on links in e-mails purportedly sent by your bank.

Security firm SonicWall said Thursday that it has been seeing e-mails that attempt to lure people to fake bank Web sites, where they are asked to re-verify their personal and bank information as part of a merger.

Phishing scams cash in on bank crisis

http://www.mxlogic.com/securitynews/email-security/phishing-scams-cash-in-on-bank-crisis083.cfm

Businesses need to be on the lookout for phishing scams trying to cash in on the current economic crisis gripping the US. According to JP Morgan, customers using its Chase services have been receiving spam emails from fraudsters trying to commit identity theft and fraud by coaxing users into giving them account information.

SOA Security - ADT or Crocodile Filled Moat?

I'm sitting here in the middle of the Moscone center as OpenWorld 2008 comes to an end. It's been a long week, but I wanted to take some time to capture some thoughts on my first open world presentation.

This morning, Eric Leach and I presented to an enthusiastic group on securing WebLogic applications with Oracle Access Management. As the "technical guy", I put together a demo of Oracle Access Manager, Web Logic Server, Oracle Entitlements Server and Oracle Web Services Manager all working together in a "best practice" architecture.

The demo covered a fairly common scenario: end-to-end security in a SOA. For example, the customer already has an investment in OAM, and they need to extend that security capabilities down to the rest of the architecture - applications, services and data.

In the past, I think that the temptation would be to use OAM. Prior to the emergence of the entitlements market, WAM was the only COTS solution for externalizing authorization. WAM products are most successfully deployed when focused on the problem of web SSO. Authorization and the centralized management of security policy is better handled by Oracle Entitlements Server - OES.

I used OES to provide authorization for JEE resources, JSP pages, and Web Services. Both OES and OAM used a common directory - Oracle Internet Directory - as a system of record for users, user attributes and group memberships. This information fed the policies enforced by OES.

In order to have these policies enforced correctly, the various enforcement points need to have the correct user identity. The problem of propagating identity across an SOA is not a simple one. In the course of the demo, I actually had to use multiple mechanisms. The identity from OAM to WLS is passed via OAM Session cookie. WLS then generates a SAML Assertion and passes it in the WS-Security Envelope to a OWSM. OWSM in making the very fine grained access control checks to OES uses a simple USERID_TOKEN (username). In theory, I could have used SAML for all of these interactions, but in many cases the full on SAML is too much.

Like most everything in security, there is no "correct" answer - no perfect solution. The solution that I demonstrated using OAM, WLS, OES and OWSM is an attempt at a reasonable 80% case - something which most customers could use as a jumping off point for defining their own solution.
I think a good analogy in information security to "How much security is enough security?" is "What alarm system should I buy for my house?". I like to think of the solution I outlined in the OOW session as the "ADT Starter Package" of solutions - pretty good for most single family residences. Most houses don't need a moat or guard dogs, but a military base needs more than a "Keep Out" sign...you get my point :)

Thanks again to everyone who attended the session and all of the questions. I gave out quite a few business cards, so I hope to hear from all of you. For those who didn't attend, once I get home, I'll add the relevant links form the session, and hope to drive some discussion around the solution.

Oracle Entitlements Server 10.1.4.3 Now Available

I'm glad to announce that we have released Oracle Entitlements Server (OES) 10.1.4.3 this week. OES came to Oracle via the BEA acquisition (where it was called AquaLogic Enterprise Security).

OES is a fine grained entitlements management product that allows you establish policies for how users can interact with and access things inside your applications and services. We call it "fine grained" entitlements because OES can protect anything inside an application; user interface elements, server-side transactions, database columns and rows, even "business" things like Reports, and Accounts.

OES 10.1.4.3 (or 10gR3 for short) is the result of several years of refining this product based upon tons of customer feedback. This release (aside from now having a new name and Oracle logo) has a couple of stand-out features:

1. Support for large policy sets and easy Delegated Administration. In OES we can now separate massive policy stores across multiple organizations and applications. Many OES (ALES) customers are setting up enterprise-wide authorization service layers and need a central place to manage policies for multiple LOB applications without everything in the same namespace. OES now has this ability to partition policies according to use and placement in the organization.

2. SharePoint protection. OES now ships a Policy Enforcement Point (PEP) that plugs into a MOSS 2007 environment to perform fine grained entitlements for web pages, web parts, lists, documents and other SharePoint "stuff".

3. Policy Simulation. The OES administration console now has a powerful simulation tool that lets a policy admin try out various scenarios and test policies without having to write an actual application to use them.

You can try out OES by downloading it from OTN here.

Also there is more information on OES here.

Fraud Flash for the week of September 8, 2008

Aug. 30, 2008
National Technical Institute for the Deaf Rochester Institute of Technology
http://wcbstv.com/topstories/rochester.laptop.stolen.2.806853.html
A recently stolen laptop contained the names, birth dates and Social Security numbers of about 12,700 applicants to the National Technical Institute for the Deaf and another 1,100 people at Rochester Institute of Technology. The laptop belonged to an employee and was stolen on Monday from an office at NTID. People at RIT, who are not affiliated with NTID, are affected because their personal information was being used as part of a control group in an internal study.

Southwest Medical Association
http://www.lasvegasnow.com/Global/story.asp?S=8925605&nav=menu102_2
Thousands of medical charts, all listed to Southwest Medical Association, became the property of a man who bought the contents of a storage unit for just $25 dollars in an auction.

Sept. 3, 2008
Oakland School District
http://www.mercurynews.com/alamedacounty/ci_10372819
Thieves broke into the Oakland school district’s human resources offices and stole up to 12 computers containing the personal information of an estimated 100 new hires.

Sept. 4, 2008
Ecumenical Ministries of Oregon
http://www.oregonlive.com/news/index.ssf/2008/09/portland_hiv_day_center_asks_f.html
A computer containing information for at least 350 HIV patients was stolen from the Ecumenical Ministries of Oregon’s HIV Day Center.

Erie County Health Facility
http://www.wben.com/news/fullstory.php?newsid=10751
The Erie County Executive’s office issued a statement about a laptop computer stolen from a county health facility.

Sept. 5, 2008
East Burke High School
http://www2.morganton.com/content/2008/sep/05/061845/east-burke-high-school-posted-163-staff-members-so/
For the past five years, East Burke High School's website exposed file s containing personal information including names, Social Security numbers, addresses, phone numbers, job titles, email ad-dresses and unlisted phone numbers of teachers, bus drivers, custodians and other staff members on the Internet.

Newly reported incidents elsewhere:

In Japan:

Sept. 5, 2008
Hotta
http://www.yomiuri.co.jp/dy/national/20080905TDY02304.htm
The personal data of as many as 18,000 customers have been compromised after the server of Tokyo-based pet supply firm Hotta was accessed by a hacker in China.
About 3,000 cases of identity theft have been found among users of Yahoo Japan Corp.‘s online auction site. The total number of confirmed and suspected ID theft cases targeting the nation’s largest Internet auction site has reached about 10,000.

In Korea:

Sept. 6, 2008
GS Caltex
http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090631088
Two multimedia discs containing the personal information of 11.1 million customers of GS Caltex, one of Korea`s largest oil refineries, were reportedly found on the street, but now it appears to have been an insider job and the story just a coverup.

In the U.K.:

Sept. 2, 2008
The Aberdeen Press
http://www.theregister.co.uk/2008/09/02/scots_paper_privacy_snafu/
Scottish newspaper The Aberdeen Press inadvertently made it easy to harvest sensitive information about registered users from its site as a result of a basic information security mistake.

Sept. 5, 2008
NHS
http://www.pinknews.co.uk/news/articles/2005-8916.html
A memory stick containing information about the STI tests of 146 people has gone missing from the Chelsea and Westminster Hospital

Sept. 6, 2008
Ministry of Justice
http://www.timesonline.co.uk/tol/news/politics/article4692879.ece
A disk containing the personal details of 5,000 prison staff was lost by EDS last year, but the prison service wasn’t notified until this July.

Sept. 7, 2008
Royal Bank of Scotland
http://www.walesonline.co.uk/news/wales-news/2008/09/08/bank-details-safe-after-laptop-theft-91466-21698548/
A laptop containing the personal details of 100 bank customers was stolen from a Welsh branch of Royal Bank of Scotland in May, but customers had not been informed of the theft because the details held on the laptop were encrypted.

In Canada:

Sept. 6, 2008
Direct Cash Management Inc
http://www.canada.com/calgaryherald/news/city/story.html?id=c442f4a5-4deb-440b-85b0-c7329d76d063
Ehud Tenenbaum, an Israeli hacker who broke into U.S. Department of Defense computers as a teenager is the alleged mastermind of a $1.8-million theft from Direct Cash Management Inc. in Calgary.

In UAE:

Sept. 5, 2008
UAE Credit Network
http://www.thenational.ae/article/20080904/NATIONAL/726459427
An international investigation is under way to find hackers believed to have stolen information from financial servers in the UAE to make fraudulent credit and debit card purchases in the US.