- Time for security to be thought of as an enabler and a business differentiator
- Customers want security, but they don’t want security to be the bottleneck
FOR many companies, security is about restricting access to, and putting up walls around, sensitive data and systems.
But for vendors in the identity management space, providing the right kind of access to the right kind of information to the right people actually opens up business opportunities – for instance, the traveling salesman who can get inventory information from his corporate network quickly to seal a deal.
“It is time for security to be thought of as an enabler and a business differentiator,” says Kenneth Hee, Asia Pacific director of Business Development Enterprise Security at Oracle Corp, touting this as the design philosophy behind Oracle Identity Management 11g Release 2, the latest iteration of the Oracle Identity Management platform first introduced in 2009.
Hee was speaking to select media just before the Kuala Lumpur leg of an Asia Pacific series of roadshows that had seen him visiting 14 cities already to tout Release 2, which was launched worldwide on July 19.
Oracle says the new release allows customers to embrace cloud, mobile and social infrastructures and reach new user communities to help further expand and develop their businesses – without sacrificing security.
“Customers want security, but they don’t want security to be the bottleneck” when they roll out new apps or features, says Hee.
“The way security has been architected in a corporate environment is still very much a case of everyone having their own approach. For example, I was in Korea talking to an auto manufacturer, and they had 20 different apps on the Android, all developed by different departments for different uses for employees.”
“About half of the people developing these kinds of corporate apps have no consistent implementation of security. Companies should not have separate treatment for their web apps and their mobile apps,” he adds.
There is enough reason for companies to think about security, he says, citing published reports: Six million passwords stolen from social network LinkedIn, information on 12 million credit cards stolen from Sony’s online game site; and bank fraud costing about US$7 billion in losses – all over a one-year period alone.
“It all boils down to how you secure the crown jewels of your organization. If you take your eyes off the ball, you risk your crown jewels,” says Hee. ”Oracle’s perspective is that you have to cover all the bases – or as we put it, embed security at every layer of the stack: Storage, server, virtual machine, operating system, database, middleware and applications.”
A key component of Oracle Fusion Middleware, Oracle Identity Management 11g Release 2 is built on Oracle’s open standards approach, and organizations can leverage these technologies out-of-the-box with Oracle Fusion Middleware, as well as non-Oracle applications and middleware, the company claims.
However, Hee says the stack (pic) is what guides the company’s whole research and development (R&D) in this area. “In the product segment that I represent, identity management, security has to be part and parcel of the application, not something you add separately.”
“In fact, all our future releases of our applications, including those in our PeopleSoft and Seybold families, will be using our identity management solution,” he adds.
One of the key drivers in building the new version was simplicity. “Some of the feedback we have got from Identity Management customers is that some of these solutions can be hard to navigate around,” he says.
The whole experience of requesting access can be daunting for say, a marketing person, who is presented with a whole smorgasbord of options, with all these weird system names.
“So our aim was to provide something as simple as Amazon’s one-click shopping experience,” says Hee. “Naming systems are important, as well as how you do cataloguing or how you present information to your user – the whole experience has to have a shopping-cart simplicity, including recommended access from colleagues with the same needs as you.”
“Once you check out, the request will be forwarded to the relevant people for approval, and you can also track this process much as you would you track your Amazon shipment, getting to see where exactly in the approval level it is,” he adds. “It is seamless for the user – you don’t need to go for training.”
Oracle says it also offers a comprehensive, proven directory service option with Oracle Identity Management 11g Release 2. New features include proximity based searching and virtual attributes enable frequent updates to the directory made by location based services to support mobile and social applications.
“We have raised the bar for our software in this area, simply because the type of usage has changed tremendously,” says Hee.” It’s no longer just about number of users. For example, we have a client in Singapore which is talking about close to a 1,000 authentications per second, and we’re not talking about someone using a supercomputer, merely everyday servers.”
The one thing about installing any enterprise software these days is the sheer number of accounts that come with it. Organizations will need to regulate regular as well as privileged users (or admin accounts).
“Unfortunately, the number of admin accts has been growing rapidly, and is usually managed in a very unorganized manner,” says Hee.
“For example, when you manage a data center, the focus is on operational efficiency, so it’s not unthinkable for people to share accounts to get things done as quickly as possible,” he adds. “But when something goes wrong, accountability becomes an issue. Who used this account last?
“Even if you keep a logbook, it’s hard to track. What we have in this release is a password vault – you don’t get a privileged account, but when you make a request, you’re assigned a password for that task or time period. When you have done what you need to do, the system will reset the password.”
Bring your own identity
With the bring your own device (BYOD) trend taking hold in the corporate world, companies need to rethink their security approach.
“The way we work has changed – work is no longer a place, but an activity. There is no physical boundary. This is a clear case of where security can be an enabler,” says Hee.
One of the key modules in Release 2 is mobile identity management, which leverages on the existing Oracle Identity Management platform and extends it to the mobile device level.
“When you want to sign on to view customer data, for example, based on location (using GPS for instance), we can dynamically authorize them based on the user profile that you have built,” says Hee.
“For example, if previously you only accessed data from Singapore and Malaysia using only English. If you now do it from a different location, your risk profile has changed, so that might require a different challenge/ response – and it won’t be just your mother’s maiden name, but perhaps a question asking what your first job was.”
All these can be customised by the customer, including at what stage the risk profile changes and the appropriate challenge/ response to verify and authenticate the user. And if the user already knows he will be travelling, he can make a request beforehand.
“This would just be a matter of policy-setting from the organization itself,” Hee says.
“What Oracle has done differently, is the way we authenticate someone -- we do it dynamically and in real-time, or what we call ‘real-time adaptive authentication’ – it adapts to the real-time situation and formulates a proper challenge/ response.
“You don’t just rely on a userID and password, but on other layers of authentication. It can track behavioral patterns – the trend is for dynamic authentication and authorization.
“The old way was that once you were in, you got all the access accruing to that userID , but what we have is a component called the Oracle entitlement server, which looks at the situation and chooses the entitlement in real-time – for example, a different level of access because your risk profile has changed,” he says.
However, Release 2 still enables single sign-ons.
“Another important piece is single sign-on for mobile devices – once you sign on successfully to the Oracle piece, you get access to all the information you had before, except when your risk profile has changed, as above,” he says, adding that the mobile identity management module runs both on the backend and on the client device.
“We believe this will give customers more confidence in implementing stuff like this, a clear case of enablement,” he says.
Another module is social sign-on, though Oracle recommends this only for low-assurance apps, like giving customers product information so that they can make a purchase decision, or product warranty registration.
“We don’t recommend it for e-banking or apps like that,” Hee says.
“According to one study, when people find that they must register or sign on just to participate, seven out of 10 times, they just don’t bother. We want to give customers the choice to ‘bring your own identity’.”
Security no longer about ‘no,’ but ‘know’