Wednesday, August 24, 2011

What's new in Oracle Access Management

Yesterday, as part of the IOUG education series, I did a webinar about layering enterprise security with Oracle Access Management components. We also spent some time explaining what's new in Oracle Access Management 11gR1 PS1 (, released earlier this summer.

The replay will be available shortly, so check back soon.

We focused on a number of key themes for the PS1 release, including:
  • Single Platform to Secure Access to Data, Applications and WebServices
  • Centralized Session Management to deliver stronger security
  • Stronger methods of Authentication including OTP tokens, and KBA
  • Enhanced Manageability
    • Centralized Server and Agent Administration
    • Inline Diagnostics and Troubleshooting
One of the other cool things we did in this release was complementing the existing OAM services - authentication, SSO, and session management - with a new, integrated standards-based security token service.

This is a great example of how we layer functional products, like Oracle Access Manager and Oracle STS, on top of our modular, shared services architecture. We also centralized policy management and administration of the two products into a single console:


This integrated approach allows customer to deploy OAM and STS together, or to disable services that aren't required. For example customers that have already deployed a 3rd party authentication and SSO system and don't require OAM services can deploy Oracle STS with that 3rd party system.

In case it isn't obvious, deployment flexibility is another theme of the release.

We are pretty excited about some of the new features and will be posting on individual products in the release, including Oracle Access Manager, Oracle ESSO, and Oracle Adaptive Access Manager in upcoming blog posts.

Friday, May 13, 2011

OAM 11g Authentication as a Webservice

A bit advanced topic for those who want to dive deep into OAM..

Check out other good blogs from Eric and Chris to understand the nitty gritty of how SSO works

A common scenario for an access manager to fulfill authn/authz services is for a client to pass the necessary credentials to an agent and the agent in turn will pass the info to OAM via the http/OAP protocols. The agents used here are ofcourse the webgates and the accessgate. The webgate being specific to the webservers and the accessgate being the customized agent for the client application that may or may not have a webserver.
Now what happens if you are in a situation if the client does not have a webserver that oracle agents normally are compatible with. The client is left alone to use the accessgate that may involve lots of customization or he may just not use access manager as his solution.

What if there's a way if you could remove the clients webserver dependency on webgate/accessgate and yet provide a standard way of communicating to Oracle Access Manager.
The solution is using OAM as a webservice and yet the necessary mechanics for a successful OAM authentication still remains unchanged. In other words the agent(accessgate) is moved to the back-end probably remaining in the same box as the OAM or another box.

So what exactly drives the OAM authentication to trigger. The following diagram depicts the above scenario.

The request for a resource can be done in two ways

From a web client such as a browser

Or from a standalone client such as a java application

Note in both the above cases the client does not require any webgates/accessgate

Before I jump into the details of the above some of the soap features worth mentioning (of which some of you may be already aware of ) are
  1. Uses standard internet HTTP
  2. Uses XML to send and receive messages
  3. Platform independent
  4. Language independent
  5. A protocol for exchanging information in a decentralized and distributed environment
  6. Soap happens to be one of the key features of Microsoft's .Net Architecture especially, Web Services

Web services describes a standardized way of integrating Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone. XML is used to tag the data, SOAP is used to transfer the data, WSDL is used for describing the services available and UDDI is used for listing what services are available. Used primarily as a means for businesses to communicate with each other and with clients, Web services allow organisations to communicate data without intimate knowledge of each other's IT systems behind the firewall

Flow in a nut shell

  1. The client requests for a resource.
  2. The request is submitted to a proxy client which in turn makes a soap call to OAMAuthService which is a webservice.
  3. This service calls the OAM 10g ASDK API.
  4. The ASDK API invokes the accessgate (which is installed) to communicate to the OAM server .
  5. The OAM server performs authentication and passes an encrypted token back to the client.


The components involved in the above architecture are

OAMServer: The emphasis here will be a OAM 11g server . That provides the authentication service

AccessGate: AccessGate is the building block for all webgates. Unlike webgates where it is always associated to a webserver an accessgate is used by standalone application or by a non web applications. say for eg a java program or an EJB or and C program etc. Accessgates are the only way to communicate with the OAM server

OAMAuthService: A java file that consists of the implementation APIs for the webservice. These API call the AccessGate ASDK API which communicate with the accessgate and in turn talks to the OAM server for authentication check

WebServiceClientProxy: This is a Java proxy that is used to make webservice calls on OAMAuthService All web and non web applications will instantiate this java class for OAM Auth Services

OAMAuthServlet: This is a sample servlet file that instantiates the WebServiceClientProxy and also collects the username and password and submits them to the OAM Server via the WebServiceClient Proxy

The scope is limited to sesssion token validation between similar agents. i.e the token obtained from one 10g agent can be used with another 10g agent. The 10g token cannot be used with a 11g agent. This is limited in the current release.

Sample Code

The sample code folder also consists of a Jdeveloper IDE project file. (Helpful for those who would like to view and deploy from an IDE)

I hope you have enjoyed this article and leave comments if any.

Follow derick_leo on Twitter

Wednesday, May 11, 2011

Tool Talk Webcast: Balancing Strong Authentication and Context-aware Security

On May 4th, Mark Karlstrand presented a webcast on how to augment strong authentication with layered or context-aware security. The replay of the webcast is available from the SANS website (note you will have to register a SANS account in order to view the replay).
Here is an interesting blog on how Symantec exposed a security hole at Facebook, where the Facebook applications is accidentally leaking access to 3rd Parties.

Thursday, April 28, 2011

New certifications for OAM

We have released a number of new OAM 3rd party and Oracle packages/certifications on OTN -
  • 64-bit Websphere Application Server v7.0 with Portal on
    SUSE 10 & SUSE 11
    Redhat Linux 5.x
    Windows 2003 & Windows 2008
  • 32-bit ASDK on Redhat Linux 5.5
  • 32-bit Apache 2.2.x, with Apache Reverse Proxy on SUSE 10 & 11
  • 64-bit Apache 2.2.x, with Apache Reverse Proxy on SUSE 11
  • 32-bit & 64 bit Apache 2.2.x, on AIX 6.1
They can be downloaded here.

Wednesday, April 27, 2011

Its official: OAM 11g certified with EBS 12

Oracle Access Manager 11gR1 ( is now certified for use with E-Business Suite Releases 12.0.6 and 12.1.1 and up.

There are two certification paths available: one for new users, and one for users upgrading from Oracle Single Sign-On Server 10gR3 (OSSO).
  • Users who are implementing single sign-on for the first time may integrate OAM 11gR1 using Oracle E-Business Suite AccessGate Release 1.1. Oracle E-Business Suite AccessGate is a Java EE application that resides on a separate application server (Oracle WebLogic Server), and provides direct integration between Oracle E-Business Suite and Oracle Access Manager through OAM WebGate. Oracle E-Business Suite AccessGate is available at no cost to licensed Oracle E-Business Suite customers.

  • Users who are upgrading from OSSO 10gR3 can leverage their existing integration by using OAM 11gR1 with the mod_osso agent. This option allows you to migrate your existing partner application registrations from OSSO 10gR3 to OAM 11gR1, with minimal disruption to existing application integration and functionality. This integration does not require Oracle E-Business Suite AccessGate, and is supported for upgrading users only.
Detailed documentation has been published here:
Integrating Oracle E-Business Suite with Oracle Access Manager 11g using Oracle E- Business Suite AccessGate

Migrating Oracle Single Sign-On 10gR3 to Oracle Access Manager 11gR1 with Oracle E-Business Suite

Prerequisites & Interoperability
  • Oracle E-Business Suite Release 12.1 RUP 1 (12.1.1) or higher; Release 12.0 RUP 6 (12.0.6)
  • Oracle Access Manager 11gR1 ( with Bundle Patch 02 (BP02)
  • Oracle Internet Directory 11gR1 PS2 ( or higher
  • Oracle WebLogic Server 11gR1 PS2 (10.3.3) or higher
Platforms Certified
The Oracle E-Business Suite AccessGate Java application is certified to run on any operating system for which Oracle WebLogic Server 11g is certified. Refer to the Oracle Fusion Middleware 11g System Requirements for more details.

Integration with mod_osso is supported on all fully certified Oracle E-Business Suite Release 12 platforms. Refer to the My Oracle Support Certifications section for more details.

For information on operating systems supported by Oracle Access Manager and its components, refer to the Oracle Identity and Access Management 11gR1 certification matrix.

Wednesday, April 20, 2011

iOS4 tracking location data

As reported here, it turns out iOS4 is tracking and storing user location data. This data is on your phone and is backed up to machines with which you sync your iOS devices. While it doesn't appear that the data is ever accessed by Apple or 3rd parties, this raises significant privacy concerns. Plenty of people are commenting on that, so I won't belabor the point here.

Instead, I'll focus on a counterpoint.

When customers use Oracle Adaptive Access Manager to perform risk/anomaly detection and fraud prevention, often they incorporate IP/Geolocation data to help identify anomalous behavior (why are you performing a transaction from Ouagadougou when normally you log in from San Francisco?) or obvious breaches to the laws of physics (10 minutes ago you and your device were in San Francisco, now you and your device appear to be in Tenerife).

Most IP/Geolocation data is very specific to laptop/desktop types of devices. As more services are accessed using smartphones and tablets (or other non-user devices for that matter) data that helps security infrastructure understand where a user is currently - like, I don't know, say by triangulating that user's device location from nearby cell towers - could prove significantly useful in preventing fraud and therefore protecting people from criminals.

Protecting people from criminals is a good thing, right?

Apple hasn't said why they are collecting the data or how they intend/expect it to be used. That's a smart bunch of people over there, so perhaps they've already thought through the use cases above and that's why the data is there.

Or, this could also turn out to be a serious Big Brother move. What's all that I've been seeing this week about Skynet coming online and destroying humanity?

I'm gonna go download an app to find out where I've been.

Wednesday, April 13, 2011

Oracle Security Token Service – Single “thread of identity”

We are getting ready to roll out our next generation product called Oracle Security Token Service (Oracle STS), which will become the hub for brokering trust and authentication in a typical enterprise deployment. Oracle STS will help solve the identity propagation problems that we see these days in most enterprises.

Many customers have already deployed or in the process of deploying an Access Management solution to address their single-sign-on needs for their intranet and extranet users. The next level of access management problem that is trending is towards facilitating the user’s authenticated identities through multiple business systems and processes so applications can make smart decisions based on user’s identity.

In a typical enterprise environment, the applications users will have to interact with various types of applications in a distributed environment, deployed on multiple application platforms, spanning across multiple security domains. A single “thread of identity” is becoming a requirements to facilitate better and seamless user experience at the same time simplify the integration and deployment of these distributed applications and environments.

Oracle STS can be deployed as a shared service that provides a standard-based consolidated mechanism of trust brokerage between different identity domains and infrastructure tiers which can help bring down the overall cost through centralized administration, increasing end-user productivity and providing improved application security and trust enforcement through standards

Tuesday, April 12, 2011

May 4th webcast: Strong AuthN Credentials Are Not Enough

On May 4th, Mark Karlstrand, product manager for Oracle Adaptive Access Manager, will be doing a webcast discussing why strong credential based authentication is not a solution alone and why a layered approach to access security is required.

Topics covered will include contextual risk analysis, monitoring for suspicious behavior and looking for anomalies related to authentication events. Oracle Adaptive Access Manager provides tools to enable this type of monitoring to detect potentially fraudulent activity and misuse of legitimate user credentials or authentication devices. This layered approach ensures that the credential based authentication mechanism being used will not be a single point of failure.

For information about the topic and to register, go here:

Thursday, April 7, 2011

OAM 11g deployment with a multi-million user population live!

The first production deployment of OAM 11g with a multi-million user population is now live! Starting April 1st, 2011, OAM 11g is now taking 100% of authentication load from extranet web properties of Oracle. All customers that access any Oracle service over the extranet are now authenticated with Oracle Access Manager 11g.

All web authentication traffic at Oracle; intranet or extranet; desktop or iphones; end-user or programmatic, is now being handled by OAM-11g system. Collectively, this amounts to about 750 K authentications requests on a typical working day. As we transition more systems to use Corporate SSO we expect this number to grow in the coming quarters.

Monday, March 28, 2011

What is more important? What you buy or from whom you buy it?

I recently had a very enlightening and satisfying customer service experience.

Not too long ago, I bought a new car. I love the car - it drives great, gets great gas mileage, looks cool, and is basically everything I was looking for in a car. Unfortunately, this car was also having persistent issues with the emissions system, causing the Service Engine Soon light to come on after about 1700 miles. I dutifully took the car into the dealer to have it serviced. Then I took it in again. And again.

With each trip to the dealer, my frustration mounted. I began to conclude that I had inadvertently been sold a "lemon". I did some research into California's "Lemon Law" and as a result immediately contact the manufacturer to notify them of the issues with the car, tell them how frustrated I was, and see what they would do.

Because of other customer service experiences - satellite/dish providers and mobile/telco providers spring immediately to mind - I expected the worst. To my surprise, the customer service provided by BMW North America was superb. The customer service representatives (I talked to two during one 20 minute call) were helpful. They showed empathy for my situation. They told me they would advocate on my behalf. They offered suggestions for what to do next. They asked me what would I thought would help bring the situation to a successful conclusion and promised to work toward those outcomes.

As a result, I was immediately calmed. I asked for a root cause analysis of the problem and I agreed to another attempt to service the vehicle. In the end, I didn't get a root cause, but I did get my car back with the issue fixed, was treated exceptionally by the dealer, and am probably on my way to becoming a lifetime customer.

Every successful company cares about their customers. So what makes one vendor or manufacturer different from another?

I am very often asked by customers, partners, Oracle sales people, and others what differentiates Oracle and our Identity and Access Management products. Usually they expect that I will tell them what our products do, how they are built, and why that makes them different from other products they may be evaluating. What I typically tell people is that it isn't WHAT we are selling but HOW we stand behind it that makes all the difference. The example above perfectly illustrates the point.

Let's face it, there often isn't a lot of easily identifiable functional differentiation between products sold by big enterprise software companies. While most claim otherwise, this is also true of many of the smaller start up and niche vendors in the identity and access management market.

The same can also be said for car manufacturers like BMW, Lexus, and Mercedes Benz, which is what got me thinking about this in the first place, that it's more about from whom you buy and how they help you after you buy it than what you buy in the first place. Setting aside the price aspect for a moment, generally this kind of thing is referred to as a commodity.

So when I listen to customers talk about what is really important to them, I generally hear them focus on two things:
  1. they think of most software and the hardware it runs on as commodities, and;
  1. as a result it isn't the product functionality they are worried about, but the robustness of the solution and how easy it will be to keep it up and running in their environment.
In fact, when asked to spend $100, many will spend $70-80 out of that $100 on tools/features for existing software that facilitate diagnosing or troubleshooting issues. As it turns out, this is an indication that these customers are worried about whether - when something goes wrong - someone will be there to listen, to help them through their problems, to understand what defines a successful outcome, and be an advocate toward that outcome.

So how do vendors and customers work together to achieve a successful outcome? What do commodity vendors do to differentiate themselves from other vendors?

While working with customers, I've noticed a few things that our team does that almost always
  • Be proactive. If all your interactions are based on hair-on-fire escalations you generally don't have a good basis for cooperative, constructive problem solving. Since most enterprise software support systems are by their nature reactive, proactive communication will help by establishing a raport and creating trust outside of the scope of reacting to a specific problem. Proactive communication will also allow you to anticipate key upcoming milestones so that you can prime your reactive support system to be ready before problems occur.
  • Be transparent. Tell your customer what you are doing and why you are doing it. Most support escalations occur when your customer contact doesn't know what to tell his/her boss. Picking up the phone periodically, even if just to explain that you have nothing new to report but are continuing to work on or monitor the situation, can help defuse most potentially explosive situations.
  • Show empathy. Don't make exaggerated claims or promise to deliver things you cannot deliver. The single most satisfying thing about the customer service I received from my car manufacturer was the fact that they made it clear they were on my side. They made no promises other than to be my advocate. That was enough.
  • Engage action. Get everyone on the same page about why they come to the office everyday: to ensure customer success. If everyone is on the same page about why, you can avoid disputes about what needs to happen, who needs to do it, and when it needs to get done. The most successful resolutions I've seen have been the result of strong collaborations of cross functional teams where the day job of most of those team members was not, strictly speaking, customer support.
This is a pretty basic description of what the folks at my car manufacturer did for me. Of course, there is no one-size-fits-all solution that creates undeniable differentiation around a commodity product. Nonetheless, when prospective customers ask me what sets Oracle apart, I don't spend a lot of time telling them about software features. Instead, I describe the process above, explain why that is important to us as an organization, and how that emphasis benefits customers.

Usually, that is enough.

Monday, March 21, 2011

How SSO works in OAM 11g

Here at Oracle, the access management PM team gets asked a lot of questions about how Oracle Access Manager 11g works, especially about the overall SSO model, what cookies are created and what they do, and processing flows between components, and how specific component interactions work to achieve authentication and SSO. In this post, we will explore the OAM 11g SSO model. It’s quite a bit different from the OAM 10g model, especially since we now support things like server side credential collection, server-based session management, and application scoped sessions.

Before we get started, it’s worth noting that OAM 11g supports the use of both OAM 10g and 11g Webgates as well as mod_osso plug-ins for Oracle HTTP Server (OHS). We support this through what we call the Protocol Compatibility Framework, which lets the OAM server communicate with and interpret protocol messages from the webtier agents mentioned above. This is an extensible framework so has the potential to support other clients or agents in the future.

OAM 11g uses a combination of host cookies or domain cookies (depending on the version of Webgate you use), a server cookie, and an in-memory session store (based on Oracle Coherence technology) to maintain and correlate user session information.

Since OAM 11g supports different Webgate versions and mod_osso, you will see different cookies depending on the version of Webgate being used, you will either see the ObSSOCookie (for 10g) or OAMAuthnCookie_host:port (for 11g).

However in both cases, the contents of the cookies are:

  • Authenticated User Identity (User DN)
  • Authentication Level
  • IP Address
  • SessionID (Reference to Server side session – OAM11g Only)
  • Session Validity (Start Time, Refresh Time)
  • Session InActivity Timeouts (Global Inactivity, Max Inactivity)
  • Validation Hash
These cookies are updated periodically using an algorithm of 1/4 of idle session timeout. There are two main differences between the 10g and 11g cookies:
  • The 10g ObSSOCookie is domain scoped and cookie encryption uses a shared key for all 10g Webgates.
  • The 11g OAMAuthnCookie is hosted scoped and different host cookies may be issued for each resource accessed that is protected by a different 11g Webgate. Cookie encryption for each 11g Webgate is unique to that Webgate.
The values of the cookies will change over the life of a user's session, however you'll notice that the Session ID that is present is a reference to the server side session object, which remains the same across the life of a session.

In the typical deployment topology, you’ll have one or more Webgates deployed on web servers in the Web Tier, a variety of components deployed in the App Tier including an OAM admin server running on the Weblogic domain’s admin server, one or more OAM runtime servers deployed on Weblogic managed servers, a database to support the OAM policies, an LDAP directory against which you will authenticate users, an optional auditing database, and an optional BI Publisher instance for reporting.

Using an OAM 11g Webgate in the flow, let’s recap how this works:

1) An OAM 11g Webgate intercepts the incoming request for a resource, determines whether the resource is protected, and – if it is – the OAM 11g server constructs and returns a response back to the Webgate. That response contains the authentication scheme required to authenticate the user.

2) Next the Webgate sets a cookie (called OAM_REQ) to keep track of the target/requested URL and then redirects to the OAM 11g server, which routes the request to the credential collector. The credential collector serves up the login page, which captures credentials and posts the credentials to the OAM server. The credentials are validated against the ID store configured for this particular authentication scheme. Once the credentials are validated, the OAM server creates an authentication token, the session in Coherence, and creates a server side session cookie called the OAM_ID cookie, which has details about the user, the time the session was created, the idle timeout, and session identifier to the coherence session.

3) Then the OAM server constructs a response which is encrypted with the Webgate's key and redirects to the Webgate. The Webgate decrypts the response, extracts the authentication token and the session identifier, and uses that information to set OAMAuthnCookie, which is set as a host cookie: OAMAuthnCookie_. (In this step if you are using an OAM 10g webgate, the response from the server will contain the information required to set ObSSOCookie, if you are using mod_osso, the response will contain the information required to set the OHS host cookie.)

4) When subsequent requests are made from that Webgate, the authentication token is passed by the Webgate to the OAM server, which validates the authentication token, checks the validity of the OAM_ID cookie and session timeout, and does the appropriate authorization checks. As the result of authorization checks, additional attributes may be added to HTTP Headers and passed to downstream applications. This is especially useful when asserting user identity and group or role information to downstream applications such as those running on Oracle WebLogic Server and Oracle Fusion Middleware.

5) When requesting a resource protected by a second Webgate, the request flow will be similar to the above. Webgate2 will check if the resource is protected, and get the authn scheme details from the OAM server. From there WG2 redirects to the OAM server, the OAM server checks the OAM_ID cookie, and then generates a new authentication token for WG2, creates an encrypted response using the key for WG2, and redirects to WG2. WG2 decrypts the response, extracts the authentication token and session identifiers and sets an OAMAuthnCookie as a host cookie for WG2.

Wednesday, March 16, 2011

Updates to FFIEC Authentication Guidelines

The FFIEC published draft guidelines that update their 2005 guidance for authentication in Internet banking environments.

This updated draft guidance calls for:

  • More risk assessments for banks to better understand and respond to emerging threats, such as man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
  • Increased multifactor authentication;
  • Layered security controls;
  • Improved device identification and protection;
  • Improved customer and employee fraud awareness.
The good news is that tools such as Oracle Adaptive Access Manager already provide many of the controls specified in the draft guidance. Check out the datasheet to see how OAAM can help meet the requirements of these updated guidelines.

This updated FFIEC guidance is consistent with another trend we've seen: more precise, prescriptive regulations that organizations need to meet in order to be in compliance. Typically more prescriptive regulations are seen in industry segments like financial services (or other highly regulated industries like healthcare) and then gradually spread to other industry segments.

Stronger Authentication Isn't The Answer

It seems practically every day I hear the same question. “My company needs a strong form of authentication for users of our web applications but we don’t like the downsides of hardware tokens/smart cards/etc, what type of strong authentication is better?” The problem with this question is it’s generally based on the false assumption that adequate protection for web applications can be achieved by deployment of “strong” credential based authentication alone. Of course, I am not disparaging anyone asking this question since the underlying assumption has been engrained in us all and it’s been enforced by various regulations and corporate policies to boot. So what is the best answer to this question?

Let’s start by breaking this down a bit. To clarify, I am using the term “credential based” authentication to refer to all authentication forms that verify a user’s identity by asking them to provide a credential. It really doesn’t matter if the “credential” is a password, one time password, biometric (typing rhythm/fingerprint/hand veins/iris/etc), or something else, they are all really just different types of authentication credentials in the end. So if a company chooses to simply substitute one form of credential for another they are not really increasing their security by much when considering all the types of threats. Some types of credentials and flows are stronger than others but there are threats that can’t be prevented even by the strongest of these. As well, there are soft and hard costs with such a change so a business better be substantially increasing their security not just swapping apples for nicer apples.

Just a few of the threats that credential based authentication of any strength cannot address are insider fraud and session hijacking. How can a credential prevent an employee/contractor/user from misusing the access they have been granted? Likewise how can a credential prevent someone/something from taking control of a valid user’s session and misusing it? The reality is that credential based authentication and authorization alone simply can’t. To address such threats, contextual risk analysis must be part of the solution to be effective.

A solution must actively “watch” the entire context of an access request to see what a user does and see how far their current behavior varies from their past “normal” behavior and/or the past behavior of all users. A solution must “learn” from past incidents what fraud/misuse looks like and identify how closely a situation matches to these past incidents. Also, a solution should be able to proactively interdict if the risk of a situation becomes too high. This risk-based interdiction may employee forms of credential based authentication that are both easy to use and an appropriate strength for the resource and level of risk at that moment. As well, interdiction could take the form of dynamic authorization policy adjustments based on the level of risk. To summarize, a company that wants strong access security for their web applications must take a more holistic approach which includes contextual risk analysis, risk-based strong authentication and risk-based authorization controls.

Monday, February 21, 2011

Register Today for Free Oracle Security Online Forum Feb. 24

Oracle and Accenture are holding a new joint event focusing on security. The event will feature great line-up of speakers and sessions that will last from 9:00-1:00pm PT on Thursday, Feb. 24. The event will focus on Security topics that face the enterprise today. The event kicks-off with a keynote presentation detailing emerging security trends and where we think security is headed in the next decade. Please join us for 30 minutes or the entire day.

Key Speakers:

  • Mary Ann Davidson, Oracle’s Chief Security Officer, on industry-leading standards, technologies, and practices that ensure that Oracle products—and your entire system—remain as secure as possible.

  • Jeff Margolies, Partner, Accenture’s Security Practice—on key security trends and solutions to prepare for in 2011 and beyond.

  • Vipin Samar, Vice President of Oracle Database Security solutions—on new approaches to protecting data and database infrastructure against evolving threats.

  • Tom Kyte, Senior Technical Architect and Oracle Database Guru—on how you can safeguard your enterprise application data with Oracle’s Database Security solutions.

  • Nishant Kaushik, Chief Identity Strategist—on how organizations can look to Oracle Identity Management solutions to help them reduce fraud and streamline compliance.

Full List of Sessions: Look here for sessions tab for list