Cloud Security Grows Up! Gmail and Two Factor Authentication

A great leap forward for security and the cloud. Google announced last week that they will support two factor authentication within there very popular Gmail application. I have used Gmail for years and have enjoyed how it has provided innovation within a very important aspect of communication. However, security has been a secondary consideration within the innovation life-cycle. They were one of the first to institute security questions but this is not enough these days. Especially after high-profile people have had email accounts hacked with similar security features (e.g. Sarah Palin).

So here is the way that it works. Go to this page on Google's help site and they will walk you through the options. What is great about the way they have implemented the system is that no matter what your phone situation they have you covered. So, even those with a simple land-line to the house can benefit from the increased security. The real question is whether the users will take security seriously enough to take the 5 minutes to configure.

Google has been more committed than most to the importance of security. I encourage you all to read their philosophy on security. You can read more about their philosophy here.

Oracle @ RSA

Download a podcast of our planned activities here.

We are excited about RSA next week. We are excited because of the great gathering of geeks focused on security but also because of the especially strong line-up of speakers. Not only will there be a strong line-up of speakers, Janet Napolitano the US Department of Homeland Security, FBI Director Rober Mueller, and Howard Schmidt from US Cybersecurity are just a few. But we will also have a strong line-up of Oracle speakers:

On Wednesday, Feb. 16 at 8:30am:
Cloud Computing: A Brave New World for Security and Privacy (CLD-201)
Speaker: Michelle Dennedy , Vice President, Security and Privacy Solutions, Oracle

Thursday, February 17 at 8:30 AM
Databases Under Attack - Securing Heterogeneous Database Infrastructures (DAS-301)
Speaker: Vipin Samar ,Vice President, Oracle Database Security, Oracle

Friday, February 18 at 10:10 AM
Seven Steps to Protecting Databases (DAS-402)
Speaker: Steve Moyle , Chief Technology Officer, Oracle Database Firewall, Oracle

Scott Gaetjen, book co-author: Applied Oracle Security : Developing Secure Database and Middleware Environments will be signing books at the Oracle booth on the following days.

• Tuesday, February 15, 12:00pm-1:00pm and 5:00-6:00pm
• Wednesday, February 16, 12:00pm-1:00pm and 5:00-6:00p

Oracle will have a booth at the expo hall throughout the event so please come by and share, learn and participate with us at the event.

Oracle Security Online Forum & RSA Conference

February is a great month! Not only did we get to see a great Super Bowl last weekend between Pittsburgh and Green Bay but we have the inaugural Oracle Security Online Forum (Feb. 24) and the RSA Conference at Moscone Center (Feb. 14-19). Yes, this means that Valentines Day will be celebrated in San Francisco - great reason to bring the wife along - but also that a large number of security geeks will be in the city as well.


We will have a booth at the RSA Conference and we have over 40 people involved in the show speaking, attending and participating. Please feel free to drop by and let us know what you are working on or to get questions answered. This is one of the best collection of security professionals in the industry so don't miss the opportunity to participate.

The Oracle and Accenture Security Online Forum, Thursday Feb. 24, will be a virtual seminar with security leaders from Oracle and Accenture sharing insights on how to secure enterprise assets. Here are some of the great speakers from the event but for a complete list and to register go here.

• Mary Ann Davidson, Oracle’s Chief Security Officer—on industry-leading standards, technologies, and practices that ensure that Oracle products—and your entire system—remain as secure as possible.


• Jeff Margolies, Partner, Accenture’s Security Practice—on key security trends and solutions to prepare for in 2011 and beyond.


• Vipin Samar, Vice President of Oracle Database Security solutions – on new approaches to protecting data and database infrastructure against evolving threats.


• Tom Kyte, Senior Technical Architect and Oracle Database Guru—on how you can safeguard your enterprise application data with Oracle’s Database Security solutions.


• Nishant Kaushik, Oracle’s Chief Identity Strategist on how organizations can look to Oracle Identity Management solutions to help them reduce fraud and streamline compliance.

I hope you will join us at one of the events this month to share, learn and participate. There are exciting times facing security professionals and sharing and participating is how we all learn more about how to have a better and more successful business impact.

Forrester and Oracle Team-up to present Total Economic Impact Report

It's still a tough economic environment and organizations we talk to are conscious of two things. How can they maximize limited resources? And, how can they maximize business impact? It is perfect timing that Andras Cser from Forrester Research and Neil Ghandi from Oracle will be presenting a free webinar on the Total Economic Impact of deploying Oracle Identity Analytics.

Her is one of the facts that emerged from the research. When teams are just sailing along implementing technology that looks good on paper it is imperative to have real customer case studies to confirm data. In this report, customer's achieved a risk adjusted ROI of 60%.

You can hear how they derived this remarkable result in the free webinar tomorrow at 12:00pm PT/3:00pm ET.

You can register here

Andras Cser,
Sr. Analyst with Forrester Research


Neil Ghandi
Product Manager, Oracle Identity Anlytics

OpenID 2.0 and Oracle Identity Federation - More Detail

Thanks to everyone for attending the webinar yesterday. Mark did a great job talking about how to build a comprehensive extranet security strategy. Get access to the replay here. He also talked a little about the OpenID 2.0 inclusion in Oracle Identity Federation.

This next blog post is for the geeks in the audience (thats a good thing). With the new support for OpenID 2.0 in OIF I wanted to share some of the documents that are available for you to configure your deployments and start using this great new feature. So, if you like diagrams like the one below there is a technical whitepaper and two configuration documents for you listed below:



Here are the other assets:

Technical Whitepaper on OpenID 2.0 in OIF

Confiuration of OpenID IdP in OIF 11gR1 PS3

Configuration of OpenID RP in OIF 11gR1 PS3

OpenID 2.0 Supported by Oracle Identity Federation

Mark Karlstrand will be giving a free webinar tomorrow, Wednesday Jan. 19 at 10:00am PT or 1:00pm ET, on how to build a complete extranet security strategy. Part of the discussion will be on how to connect to the cloud securely. This is perfect timing because the Oracle Identity Federation product team just released a feature patch that allows them to now support OpenID 2.0. You can register here for the webinar tomorrow. Below is a brief description of why this is important to companies that want to offer this service to their users.

OIF supports both Relaying Party and OpenID Provider in accordance to recent OpenID 2.0 specification. It enables organizations to start accepting OpenID from leading providers such as Yahoo and Google or to become OpenID provider in a matter of hours. With OIF users can leverage their corporate identity at OpenID-enabled blogging sites and socials networks, such as Facebook.



Custom Actions

OIF Custom Actions enable site-specific operations to be executes during federated authentication flows. It gives organizations additional flexibility to implement authentication process that meets their specific security and business needs.

Both Identity Providers and ServiceProviders can benefit by Custom Actions to streamline integrations and reduce application deployment time.

For example, Custom Actions can be used by Identity Providers to dynamically generate additional user attributes, which are not stored in directory or database. The generated attributes can be then added to an attribute statement and sent to a Service Provider. Service Providers can leverage Custom Actions to manipulate identity data received from the Identity Providers and prepare it for consumption by applications or homegrown security tools.

Developing Custom Actions does not require extensive knowledge of federation protocols; they are simple J2EE modules. Once developed, a single Custom Action can be leveraged to customize authentication flows over any protocol supported by OIF.

Hope you will join us tomorrow to discuss this great new feature in OIF.

2010 Identity Management In Review

It has been a busy year in Identity Management so I thought I would collect some of the major events that have impacted 2010. Security and Identity Management continue to be important drivers for organizations. I am not sure who exactly coined the term but security/identity management is definitely a "lifestyle" more than a product or release. The market and products continue to evolve to address top IT and consumer forces that are shaping security and business in 2010 and beyond. Here are just four of the key forces:

1. Cloud Computing
2. Social Media
3. Data Center Consolidation
4. Mobile Devices and Workforce

As a result, we had a very busy 2010 and made Identity Management an exciting segment of the IT market to work. Here are just a few of the events that shaped my world:

1. Oracle and Sun join forces in Identity Management, Feb. 2010. Oracle Directory Services Enterprise Edition and Oracle Identity Analytics are strategic projects.


2. Oracle Launches Security Newsletter with 22K initial readers, April 2010. The newsletter focuses on security news and products at Oracle.


3. Oracle Identity Management at Burton Catalyst 2010. This years show was fantastic but a little different as it was the first Burton Catalyst under Gartner. It contained great insight into the evolution of the industry and with the other tracts on Cloud, Collaboration and Data Center Management it had something for everyone. The show is scheduled to run in 2011 so we look forward to seeing it evolve.


4. Oracle Launches 11g for Identity Management, July 2010. The launch included new features for the entire identity management platform and specifically for the following products: Oracle Access Manager, Oracle Adaptive Access Manager and Oracle Identity Manager.


5. Oracle Directory Services Enterprise Edition and Oracle OpenSSO complete new releases which include new branding.


6. Launched a new blog focused on Identity Governance called Identity Expressions
   


7. Launched a new product in the Identity Governance category called Security Governor. This product will help verticals like Healthcare take a holistic approach to security and identity.


8. Oracle Open World had over 25 sessions on Identity Management with over 200 people attending the Identity Management Keynote.


9. Oracle acquires Passlogix. After a very successful OEM relationship Oracle acquired Passlogix and continues to offer the Enterprise Single Sign-on Suite to it's customers.

2011 should be a great year and the start to a great new decade. I can predict one thing for sure. The Identity Management market will continue to evolve as new security challenges and new IT and consumer forces impact our solutions. Identities are key to any valuable transaction for business, consumers, partners, etc. Data is dumb when it is just data. When it is tied to an Identity it is much smarter and many, many times more valuable. Just ask Facebook, Google, etc. Identity Management is about putting people and business in control and if we make it easy for business and people to manage and implement then Identity Management will be critical to their success.

Kuppinger Cole Webcast on Access Management Appliance

In case you missed it, Kuppinger Cole hosted a webinar with one of our partners F5 on the value of their Access Management appliance called BigIP. BigIP helps organizations deploy access management solutions faster by reducing the number of agents that have be deployed. This saves time and money when standing up a new access management solution or leveraging an existing solution for more of your applications within the enterprise.

You can watch the webinar here:

European Identity Conference

While you are on the KC site you should think about registering for the European Identity Conference in May. It will be just around the corner and getting international travel approved is never easy. It is a great conference!

University Breach Rasises Questions About Fraud Prevention

There are several news articles in today's press that remind us all of the damage and cost of not having the right security defenses in place. A study by the National Fraud Authority as reported in The Register claims that the UK loses $4.13B to Identity Fraud each year. According to the report the average theft results in $1530 in benefit to the thief. In these tough economic times, this is a dramatic drain on scarce resources and should underline why business should ensure they have the right fraud prevention and access management strategy in place to protect their customers.

The second article has to do with the recent breech at the University of North Florida had a breech which compromised over 100 thousand identities. Universities continue to struggle with identity security with a number of breeches over the last 5 years which have hit the headlines. The University has unique challenges with the number of students/identities that turn-over year quarter or semester. In some cases this is close to 25% per quarter or year. In addition, the students in some computer labs are inquisitive and experimenting with the latest hacks challenging even the toughest security measures. Ask any Network Admin at a major university about application and network security and you will hear some amazing stories. In some cases, way more exciting than corporate network security. However, this is a side-topic for another blog entry sometime.

The key to ensuring that you have the right level of protection is adding an additional layer of security and Oracle Adaptive Access Manager is a great solution for this purpose. Ensuring you have tools that allow for real-time response to rules you define on access helps prevent unauthorized access to applications and network resources. In addition, you can use features like One-Time Password to layer authentication security on key resources to ensure you combine something you know with something you have to improve security. Here is a quick intro to how Oracle Adaptive Access Manager can help.

Zeus Brought Down by Operation Trident Beach

I am finally caught up after a great week last week at Oracle Open World. And it was just in time to read about this great bit of international crime fighting bringing an end to an international cyber-crime ring using the Zeus Trojan to steal allegedly $70M. Details are still coming out but according to this article by The Register the crime ring was able to deploy Zeus and key-log individuals bank accounts and then use "money mules" to access the accounts and make withdrawls illegally. One thing is for sure you have to admire the naming capabilities of the team which came up with "Operation Trident Beach" which shows marketing doesn't have a monopoly on naming talent. Here is a quick paragraph taken from The Register article (full text here):

Trident Beach began in May 2009, when FBI agents in Omaha, Nebraska learned of automated clearing house batch payments to 46 separate bank accounts throughout the US. Agents eventually brought in counterparts from the other involved countries. The payments are a hallmark of Zeus scams, in which hackers break into victim bank accounts and then clean them out using the bank's ACH transfer system.

The thieves targeted small- to medium-sized companies, municipalities, churches, and individuals.

I was talking with Mark Karlstrand, the Product Manager for Oracle Adaptive Access Manager, and he mentioned that the product has two critical features that would have prevented this from happening. According to Mark: "The KeyPad virtual authentication device could have prevented the password theft via key-logger. The use of the passwords from Eastern Europe and other behavior anomalies could have been detected by OAAM real-time risk analytics." As more details come out about the cyber-crime ring and Zeus we will bring you details.

Day 5: Oracle Open World Wrap

I had a great time this week at Oracle Open World. It is quite a show with over 47K attendees spread over 4 city blocks with great sessions and conversations about Identity Management and many other cutting edge technologies. I am definitely in powerpoint overload and would be happy not to see another slide for awhile but the information was great! We have collected some of the photos from the sessions up on our Facebook page here. Here is just one of the pictures from the concert on Treasure Island with the Black Eyed Peas, The Steve Miller Band and Don Henley. I heard someone say "it was the greatest corporate concert ever!"

The presentations were all taped and should be up on the website shortly. Stay tuned for more information as it becomes available. If you followed us on Twitter, please let us know what you think by sending us messages.

The Verizon presentation on Directory Server Enterprise Edition and using Fracational Replication was a highlight for me. It should have been scheduled earlier in the week so that more people could have attended. Verizon has one of the largest directory deployments in the world with 40+ million identities and many partners and LOB's using it as their repository. The Verizon deployment is also a great example of using Fractional Replication to empower LOB's with their own identity repository but allowing the central team to maintain the control over the data. Verizon is also a great example of using SSO to reduce cost and maintain a great User Experience across many different portals. Madhu, thanks for sharing such great information with the identity management community. I will post the presentation once it is available on the website.

Day 4: IDM at Oracle Open World

Hope you enjoyed the Black Eyed Peas last night. We have an action packed IDM session on Thursday to finish up the show. Here is a quick run down of the sessions. Etienne and I will be introducing Verizon as we talk about how Replication and Fractional Replication are critical features in a high performance Directory Server deployment.

· Follow us on Twitter @OracleIDM. Use hash tags #oow10idm

Time	Title	Location
9:00 am – 10:00 am	Middleware s317487 End-t-End Secure Identity Propagation	Moscone South Rm 310
	Middleware, Applications s316524 Oracle Idenity Management for Oracle JD Edwards EntrpriseOne	Moscone South Rm 309
10:30 am – 11:30 am	Middleware s316991 Database User Management wit Oracle Directry Services and Actve Directry	Moscone South Rm 310
	Middleware s316837 Deploy a Highly Performant Entitlements Solution wit Oracle Entitlements Server	Moscone South Rm 309
	Middleware s317270 Service-Oriented Security: Simplifing Identity Management for Applications	Moscone West L3, Rm 3018
12:00 pm – 1:00 pm	Middleware s316829 Demystfing IdM: A Custmer’s Guide to a Practical IdM Deployment Strategy	Moscone South, Rm 309
1:30 pm – 2:30 pm	Middleware S315086 Replication Best Approaches on Directory Server - Fractional Replication	Moscone South Rm 309
	Middleware S316829 Demystifing IdM: A Customer’s Guide t a Practical IdM Deployment Stategy
3:00pm – 4:00pm	Middleware s314871 Oracle Identity Manager and Oracle BPEL Tools for Digital Identity Management
3:00pm – 4:00pm	Middleware s314871 Oracle Identity Manager and Oracle BPEL Tools for Digital Identity Management	Moscone Sout Rm 309
3:30 pm – 4:30 pm	Middleware/Oracle Develop S317543 Service Orientd Security 101	Hotel Nikko Mendocino I / II

Day 2: Access Management at OOW

Oracle Open World is off to a great start with plenty of good content and demo's for the business owner or technical implementation team. Yesterday I saw two great demos from the OAM team. Mark Karlstrand, pictured to the right was giving a demo on OTP Anywhere to Bob Blakeley. It was impressive as he used his cell phone to provide a stronger authentication method for a bank transfer -demo not real but you get the point.

There are a couple of ways to follow what is going on during the show.

You can follow us on Twitter by using the hash tags #oow10 #idm or follow us directly @OracleIDM.

We also are uploading pictures and video's from the day at our Facebook page at Facebook/OracleIDM here.

Here are the sessions for Tuesday, Sept. 21 at Oracle Open World

Time	Title	Location
12:30 pm – 1:30 pm	Middleware s317146 Securing Web Services: Solutions, Best Practices,	Moscone South Rm 309
2:00 pm – 3:00 pm	Middleware s317467 Simplify Identity Management and Support Future Growth with Directory Services	Moscone South Rm 309
3:30 pm – 4:30 pm	Middleware s317064 Oracle Identity Management Administration Best Practices	Moscone South Rm 309
3:30 pm – 4:30 pm	Middleware s317240 Oracle’s Identity Management Strategy (for Sun, Oracle and New Customers Alike)	Moscone South Rm 310
5:00 pm – 6:00 pm	Middleware s317484 Case Study: How Cisco Achieved Large-Scale, Highly Available Access Management	Moscone South Rm 310
5:00 pm – 6:00 pm	Middleware s317244 Enforcing Segregation-of-Duties Controls with Identity Management	Moscone South Rm 309

Growth with Directory Services
3:30 pm – 4:30 pm Middleware s317064 Oracle Identity Management Administration Best Moscone South Rm 309
Practices
Middleware s317240 Oracle’s Identity Management Strategy (for Sun, Moscone South Rm 310
Oracle and New Customers Alike)
Middleware s317484 Case Study: How Cisco Achieved Large-Scale, Highly Moscone South, Rm 310
Available Access Management
Middleware s317244 Enforcing Segregation-of-Duties Controls with Identity Moscone South Rm 309
Management

Identity Management at Oracle Open World

Oracle Open World is fast approaching and the time to register is NOW so you don't miss out. This year the show is going to be a blast. I have heard rumors about the band that will be performing one night but you know what they say about rumors. More importantly, the IDM team have a lot of new things to talk about at this years show. First, we released 11g this summer which included exciting new approaches like Service Oriented Security, better user experience and new features for:

• Oracle Identity Manager
• Oracle Access Manager
• Oracle Adaptive Access Manager
• Oracle Identity Analytics

If you want a comprehensive list of all the sessions so you can follow along. Please visit the Focus On Identity Management document located here. Also, we have five don't miss sessions which you need to attend. Here are the dates and times. Or, you can find them on our Facebook page here.

Date & Time	Title of Presentation	Location
Mon 11am	Oracle Identity Management 11g Overview	Moscone South 309
Tue 2pm	Simplify IDM with Directory Services –	Moscone South 309
Tues 3:30pm	Oracle’s IDM Strategy (for Sun, Oracle Customers Alike)	Moscone South 310
Wed 1pm	Building a Strong Foundation for Your Cloud with IDM	Moscone South 309
Wed 4:45pm	Complete Identity & Access Governance with OIA 11g	Moscone South 309
Tues 5pm	How Cisco Achieved Large-Scale, Highly Available Access Management	Moscone South 310

The last time the Identity Management team was all together a few photo's were taken and I have included one from that fun event at Burton Catalyst. Hope you will be able to join us!

Free Webinar Today 10:00amPT: Simplify Access Management with F5 & Oracle

On Thursday, August 26. We are hosting a webcast that will take you through the solution and talk about why we believe this will simplify Access Management. Please join us as F5 and Oracle product experts explain this simple solution.

Title: Live Webcast - Streamline Access Management with F5 & Oracle

When: Thursday, August 26, 2010, 10:00 a.m. PT or 1:00 p.m. ET

Where: Register for this live webcast here: Streamline Access Management with F5 & Oracle