Israel as a westerner

I don’t usually blog about my travels, but i’m just coming to the end of a 4 day work trip to Tel Aviv and felt compelled to share my thoughts and experiences.

When I got the invitation in my inbox a few weeks ago, inviting me to Israel to speak at a conference and meet a number of customers, I was a little apprehensive. Why wouldn’t I be? As a westerner, the only things I see and hear about Israel in the media is around the troubles in Gaza or the rocket attacks near the Syrian border. After some carefully worded probing, my host in Tel Aviv assured me that it was safe where I would be visiting and I had nothing to worry about. Fears placated I booked the trip.

I’m so glad I did. Whilst, my free time in the city has been limited, I have managed to find time to explore and I really had nothing to worry about. Sure, the city has issues with crime and terrorism. In fact, it turns out there was a terrorist shooting on Weds night whilst I was in the city (I only found out about this on the news two days later). However, is that any different from any other major city? I visit London far more often and look at the problems there. At no point did I feel unsafe during my trip. I both ran and walked at various times of day to a number of place across the city. The vibe of the city is awesome. Constant throng of people  and music. An overall great atmosphere. It has a real mediterranean feel about the place. The history, especially around the old town of Jaffa is amazing, with its small, cobbled alleyways and streets.

A nice shot from Jaffa looking back over Tel Aviv.

Everyone I met made me feel extremely welcome and my host couldn’t have looked after me better.

I just goes to show that you shouldn’t just rely on what you read and see in the media.

I really hope this won’t be my last trip to Tel Aviv as I look forward to coming back to this wonderful city.

Advertisements

Being Positive – Why I love my job!

As Brits we like to moan! We complain about the weather, we complain about queues, we complain about our politicians, we complain about each other. I’m no exception and I’ve been known to have be muttering under my breath for a whole variety of reasons. Maybe, someone is dawdling (I love that word) along when I’m trying to get somewhere, or a driver in front of me is being particular frustrating.

However, it’s a very slippery slope that can lead to always seeing the negative side of things. In reality we don’t often appreciate, or feel gratitude for what we do have.

There is a fantastic psychotherapist in the UK called Richard Nicholls who produces a regular podcast called Motivate Yourself (it was #1 in the uk podcast charts for a while, which was where I came across it). His short, 15 min monthly podcasts always seem to hit the mark, covering very relevant topics. His most recent podcast, titled “The Gratitude Attitude” was all about how we take things for granted. I’m actively trying to be a more positive person, follow many of Richard’s teachings and suggestions. It got me thinking about my job.

Most of us have a good moan about work from time to time. We complain that we are overworked, underpaid, and not appreciated. So, I decided to flip this on its head. I sat down to think about all of the positive things about my job that I am grateful for and decided to make a list. Here are ten things I came up with:

  1. I have a job

It shouldn’t be taken for granted. Not everyone does.

  1. I get paid a salary I can live on

Yes, many of us want a higher salary, but I see that as my challenge, to constantly improve my career, my prospects and my circumstances if I want to continue to climb the salary scale or the career ladder.

  1. I work with some great people

Extremely talented, professional individual

  1. I get to meet lots of people

In a customer-facing role, I constantly meet new, exciting, and interesting people

  1. I get to travel

My job gives me the benefit of regular travel both in the UK and internationally. I have seen places I wouldn’t have otherwise visited had it not been for my job.

  1. I work with cutting-edge tech I like technology

That’s why I work in IT. Working for an IT vendor I constantly get to play with the latest and greatest innovations.

  1. I work in a great industry

Cyber Security is hugely topical with the growing number of data breaches year on year. I am in the thick of the industry trying to protect organizations

  1. I get to balance my home and work life

Unlike some previous jobs where I was away a lot, my current job enables me to spend a more time at home with my family.

  1. Recognition

Ok, this one is a bit vain, but who doesn’t like to be recognized when they are working hard and doing a good job? I seem to have a good reputation at work, which means I get positive feedback.

  1. I’m healthy

Is this strictly related to my job? Maybe, maybe not. My work does involve lots of sitting around at desks, but also means I am in a clean environment, and, my working flexibility means I can pop out for that run if I want to. Give and take is important.

Could I have written a list of 10 negative things about my work? Of course I could. However, I chose to focus on the positive. Concentrating on what is good and what I am grateful for. All too often I see colleagues moaning about what isn’t working, or what they don’t like and that only leads in one direction, an endless downward spiral, which isn’t where I want to be.

Don’t get me wrong, next time you see me, I won’t always be a ‘happy clappy’ euphoric individual. I might even still moan a bit, but I am trying to be more positive.

2018 – Autonomy vs Automation

At OpenWorld 2017 last year (it still seems strange saying last year), Oracle announced “The world’s first Autonomous Database”. The marketing literature states:

 “Oracle Autonomous Database Cloud eliminates complexity, human error, and manual management, helping to ensure higher reliability, security, and more operational efficiency at the lowest cost.”

When I first heard about the autonomous database, I didn’t quite get it. I’m no database expert but I thought that we had database management well in hand. I know DBAs with decades of experience who can manage databases with their eyes shut, usually using lots of scripts and automation.

So, what’s different about the new Oracle Autonomous Database? The penny dropped for me when I realised the differencet between automation and autonomy. A common misunderstanding is that Oracle has just automated the database. That is not the case.

Automation refers to a set of sequential steps that have are executed in order, usually using a script. Think of an unattended installer. You give it the settings and it executes a number of predefined steps to install your piece of software with the settings you define. Another example might be a DBA who has written a script to automate the patching of a server. The script will run through a series of steps, such as, connect to the server, upload the patch, execute the patch, verify the patch, then, restart the server. Both of these are examples of automation, not autonomy.

When Oracle talks about the Autonomous Database, they aren’t saying that they have just written a number of scripts to automate several steps, they are talking about autonomy, i.e. self-management.

What this means is that, as the administrator, you will define the parameters within which the database must operate and the database will take care of that for you. For example, you will define the service level you need, or the information retention policy you must enforce. Then, the database will do the rest, under the covers to meet that requirement. No more setting up RAC or DataGuard to configure HA and DR.

From a security perspective, the Autonomous Database also reduces the risks associated with manually managed databases. Yes, we have some very clever and experienced DBAs with mature scripts, but, in today’s world of increasing cyberattacks and more data breaches than ever before, against larger and more sensitive data, we need to remove as much of the manual processes associated with security as possible. There will, of course, always be a need for some manual intervention, but the security posture in any organisation, and the response to any threat needs to be more rapid than waiting for an overworked DBA or SOC Analyst to get around to dealing with it.

For example, the Autonomous Database will patch itself regularly with the latest patches and always enable encryption, so you don’t inadvertently leave data stored in the clear.

At the moment, industry is losing the cat and mouse game against the cyber criminals. Looking beyond databases, I can see lots of other places where autonomy, underpinned by capabilities such as machine learning, will play a crucial role in the cyber war in the near future.  There is a long way to go, but it’s an exciting time at Oracle, seeing the emergence of technologies such as the Autonomous Database, as well as our newly designed Identity SOC, really looking at how they address this changing threat landscape using the latest and greatest innovations.

2018 is going to be an exciting year.

GDPR – it’s all about technology and fines, isn’t it?

Unless you are new to my blog posts, you will know that I spend most of my time talking to organizations about security, whether that is data security, cloud security, people security, or application security. If you are new to my blog posts, then welcome. I hope you enjoy them and find them useful and informative.

For the last 12-18 months, a fair amount of my work and many of my conversations have been in relation to GDPR. I personally think that GDPR is a great step forward for privacy and security. It does a good job of ‘encouraging’ organizations to put more thought and control into how they use and protect personal and sensitive data. However, this post isn’t about how great GDPR is.

Watching the security news and market trends in security, I have seen a lot of different marketing messages and approaches from different IT vendors and consulting companies on the best ways to address GDPR.

Unsurprisingly, from the consultants, it’s all about business transformation and process change, whilst the IT vendors pontificate about how much you need their technologies and how their products are the answer to GDPR. In most cases, much of the marketing has been around the, now much quoted fines. Having worked in security for a long time, I have regularly seen security products marketed based on FUD (Fear, Uncertainty, and Doubt), usually generated by alarming statistics. From a fines point of view, you don’t get much more alarmist than

 “4% of global annual turnover”

(many quoted stats failing to mention the “up to” in front of that)

This scaremongering annoys me and it’s not just me. In a recent blog post, the UK ICO, Elizabeth Denham clearly has the same frustrations. Don’t get me wrong, the fines are important and are a key factor in how seriously organizations are taking GDPR. However, there are other ramifications of not following the GDPR, which also play key factors for any organizational program to address it.

So, how do I think the industry should be talking to organizations about GDPR? It’s simple, they should be helping them, not scaring them? Here are some observations I have made over the last few months.

Be Honest

Lay out the facts of the regulation, not some biased interpretation that suits your product. If the conversation does include a discussion around fines, then talk about the fact that fines are tiered and that article 83 talks about ‘taking into account technical and organizational measures’ when deciding whether to impose administrative fines. Also, talk about the other punitive measures and potential outcomes of a data breach.

Revolution vs Evolution

How revolutionary really is GDPR? We have had many regulations covering various elements of information security for a long time. You will all have heard of, or be familiar with SOX, DPA, PCI-DSS, HIPAA, FedRAMP etc (I could go on). Many of these regulations cover similar themes such as data encryption, authentication, authorization, patching etc. Therefore, for many organizations, some of the processes and controls necessary for GDPR will already be place. Of course, there are elements of GDPR, which are posing more of a challenge than others, especially around the data privacy elements. These should not be under-estimated.

Don’t Oversell or be oversold to

If your company sells a product or solution that can help an organization address a certain element of GDPR, don’t oversell it as a way of ‘solving GDPR’. As an organization battling with GDPR, be wary of any companies that claim that their solution will ‘make you GDPR compliant’. I have seen software vendors as well as cloud vendors claim this. There is a lot of work to do for GDPR. I don’t see how any vendor can claim to make you GDPR compliant. If, for example, you put your data into a cloud provider, they will be the data processor but the organization will still be the data controller and therefore have their own responsibilities.

As an organization, you should understand where any potential vendor or provider could help, what parts of GDPR it can help with and the limits of that solution.

Identify Quick Wins

GDPR is a business transformation program. It will require business/process/technical changes and those will take time. However, there are things that can be done in parallel. An organization should be looking at quick wins that can help start taking baby steps towards their end goal, rather than waiting until all of the upfront ‘consulting’ work is completed. For example, this could be to start using technology to help find personal and sensitive data within systems, or to start enabling encryption to secure personal data at rest. This gives two benefits. Firstly, when May 2018 arrives, it shows that an organization is making real progress in relation to GDPR. Secondly, we are all seeing the frequency and scale of data breaches in the press. Ignoring GDPR for a moment, just having appropriate controls in place to protect sensitive data (whatever it is), all helps towards mitigating potential exposure.

GDPR Fatigue

12 months ago, I would go in, mention GDPR, and get many blank faces. However, today, most organizations I talk to understand what GDPR is and have a program in place. The maturity of that program varies dramatically, but, at least they have taken the first steps, if not, are nicely heading along their journey. Therefore, covering the basics of GDPR at every session isn’t always necessary. I have seen people present an overview of GDPR to the head of an organization’s GDPR program. If you are a vendor or supplier, be aware of your audience’s existing knowledge.

 

When I talk to organizations about GDPR, I always try to follow my own advice. Whether I am talking about how Oracle can help with technology controls for managing and monitoring user access or data security, or if I am talking about how moving workloads to Oracle Cloud can enhance security, I am always conscious that I follow my own rules, be as honest as possible and don’t oversell, or incorrectly position anything we do. I hope others do too and that organizations recognize when they are being oversold.

Can you trust your cloud provider?

“Trust is like the air we breathe-when it’s present, nobody really notices; when it’s absent, everybody notices.”

This quote from Warren Buffett is particularly relevant in today’s world of the cloud. As I explained in my previous post, whenever you use a cloud provider you are entering into a shared responsibility model where the cloud provider will be responsible for the security of the cloud and you are responsible for the security in the cloud.

However, when you are considering a cloud provider you must think carefully about trust. For example, do you trust your cloud provider not to look at your data, do you trust the effectiveness of their security controls, not just externally but including their own operations staff, and are you confident they would inform you if they suffered a breach?

With the advent of cloud computing, the barrier of entry for budding, small software companies has never been lower. As a result, we are constantly seeing new start-ups, especially in the fast-paced world of security. However, security is hard to get right and designing your software in a secure manner requires experience and skills. Unfortunately, vendors don’t always get it right. Don’t worry, this post isn’t a witch hunt against small vendors who have got it wrong. Read on and i’ll explain.

We all know that data breaches happen on an almost daily basis as they are constantly in the news. Take the most recent story last week about Verizon and the loss of data from their cloud provider’s storage services. I could go on and list many more attacks but that’s not the purpose of this article.

When considering cloud providers you need to ask yourself whether you can trust that provider. Even if you do, I belief that you should still work on the assumption that your data will be breached. Yes, you heard me correctly. No matter what controls you or your cloud provider have in in place, if you make the assumption of a data breach, it will allow you to think about your security controls and your response to any breach in a different light. If we continue with that working assumption, then we should be asking ourselves two key questions.

1)     Is my provider building secure software and platforms?

If security were easy then we wouldn’t see as many successful attacks in the news as we do. Unfortunately, even with the best intentions, cloud providers don’t always get it right. Take the recent example of the OneLogin attack last month, when, according to reports, an attacker was able to get access to some AWS keys and start exfiltrating sensitive data from the database. Should the keys with such powerful access have even been in an internet-facing location? If not, then was this a mistake or a design flaw? Is this the fault of the cloud provider or the software company? Whatever the answers to these questions, it was clearly an issue which led to a breach.

This comes back to security assurance and solid design and implementation throughout the software development lifecycle. As a security-focused company, security is something Oracle has always taken seriously. We have a well-established software security assurance framework, which, as the above link states its intention is:

“Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance (OSSA) is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products”

Anyone who has worked in security for any length of time knows that security isn’t a one-off event, but, is something which has to be built into your overall development lifecycle from start to finish.

This leads us to our second question.

2)     How well does my provider respond to a data breach or security issue?

Even with the best will in the world and the best QA processes, mistakes do happen, either through bugs or poor design choices. Therefore, how a company responds to any issues is of paramount importance. Since I used a cloud-based SSO provider in my previous example, why not do the same again, this time LastPass. They have been plagued by a number of security issues recently as Tavis Ormandy from Google’s Project Zero has been digging into their service. However, as a responsible cloud provider, they have been extremely responsive in responding to, and fixing the issues quickly. This is what we need and have to expect from cloud providers in this world where our data is always online and typically accessible over the internet.

For all of your cloud providers, do trust that they would notify you in the event of a data breach? Within what timescales would they notify you? As for Oracle, we document our response to security breaches and our notification policy in our Data Processing Agreement. We want customers to have the confidence that we know what we are doing and that we have built an enterprise cloud platform, providing a secure set of services underpinned by a secure platform, with all the necessary governance, policies and procedure in place to ensure that we minimize any risk but also, identify, and respond to any incidents that may occur.

Take Responsibility For Your Cloud Data Before An Attacker Does

As I have mentioned in previous blog posts, I spend a significant amount of my time talking to customers about their Cloud strategy, explaining to them about security controls they should consider when moving to Cloud, and, how Oracle addresses security within its own Cloud.

One area that still surprises me in my discussions with organizations is the common mis-conception that a Cloud Provider is solely responsible for the security of their data within the Cloud. Even before the looming threat of GDPR compliance and fines, Cloud has always been a model of shared responsibility. Gartner discussed this in a report back in April 2016. Their summary explains this concept well:

“While public cloud providers typically have strong control attestations, numerous compliance certifications and their own security features, CSPs cannot offer complete security. CISOs and security leaders must understand the scope of their responsibilities for security in the cloud.”

The way I like to explain it is that Oracle (as a Cloud Provider) is responsible for security of the cloud, whilst you, the customer, are responsible for the security in the cloud. You might think that this is just semantics but the differentiation is important. There are a couple of ways to look at this:

 

At a high level, you can see that whilst the Cloud Provider has some responsibilities, actually, the customer also has a significant number of areas where the control either is wholly theirs, or shared with the Cloud Provider. Even in the red area above, there is still shared responsibility. The wedge shows how this differs depending on the type of Cloud service a customer is using.

 

As you can see from the diagram above, the customer responsibility for security can be a significant undertaking, especially if adopting IaaS. This is often why customers will choose to adopt PaaS or SaaS offering. Whilst the higher up the ‘as-a-service’ stack you go, the less flexibility you get, you also get less responsibility for security and less to operationally manage.

One point of interest in the graphic above is that the common customer responsibilities across all three services are the data and the service configuration.

Think about it, if you subscribe to Database-as-a-Service, you will be provisioned a secure instance of database (at least in Oracle Cloud you will). For Oracle, that instance will have a number of security controls already in place and enabled by default, such as encryption at rest, SSH access with key-based authentication, configured but disabled firewall rules etc. Beyond that, Oracle will also be securing the infrastructure itself, everything from the data center, up to the instance, providing a range of technology, people, and process controls (the bits in red in the diagram). However, if, as part of the your service configuration, you decide to open up all ports on the firewall to that instance, upload you production data, and enable a powerful DBA-level account with a simple password, the chances are, your data will be compromised. I hope that illustrates why shared responsibility is so important and, as a customer, you must be clear on what you are responsible for and what the Cloud Provider is responsible for, recognizing that this will be different across IaaS, PaaS, and SaaS.

So, what does this mean for your cloud services? You need to ensure that you have sufficient controls in place to protect your cloud services. Some of these controls will be provided by the Cloud Provider, but managed by you, e.g. user management, whilst others are additional controls that you should be implementing as part of your overall security strategy. Below are three key considerations you should be thinking about.

User Management – For any cloud service you subscribe to you will have to manage the users who have access and the level of access they have. As your number of cloud services increase as well as the number of Cloud Providers you use also increases, this is re-introducing the whole problem of Identity Management (IDM), which organizations have been addressing on-premise for a long time. What makes Cloud different is that you may well be opening up services to new user bases such as customers and partners.

When looking at IDM in the cloud, it is imperative that it isn’t treated in isolation. You must ensure you have the same controls and governance over your cloud services as you do for existing, on-premise systems. This may mean extending your existing IDM to cover your cloud services, integrating a cloud-based IDM platform with your on-premise, or moving your IDM to a pure cloud IDM platform. Oracle is ideally placed to support you in all three scenarios with our most comprehensive IAM platform, combining a market-leading IAM on-premise platform, with a modern, new, cloud IAM platform. You can find more details here.

Network Access – When using a Cloud Provider, the default access is over the internet. For many customers, this is ideal as it removes technology constraints for their users accessing the services. However, in some cases, this may not be good enough. Therefore, you must carefully consider how you will integrate with your Cloud Provider. Most providers include a number of private connection options. For Oracle, there are a number of options ranging from VPNs, through to Fast Connect and MPLS connections, depending on your requirements.

User/Service Monitoring – This is not an area that is usually thought about by organizations, but with the modern, sophisticated, low and slow attacks, understanding how users are using your cloud services and building up profiles of normal vs anomalous behavior is hugely important in identifying threats. Also, understanding how a cloud service is configured and whether that configuration has changed is important. You may have done your due diligence when setting up your cloud service, e.g. Office 365, but how often do you go back and check the configuration is still secure and hasn’t change? As with IDM, user/service monitoring should not be done in isolation but should feed into your existing monitoring capabilities. I would argue that monitoring of your cloud services is actually more important that monitoring those systems buried deep behind firewalls in your internal network. Why, because typically cloud services are accessible over the internet 24x7x365. I briefly talked last time about the concept of an Identity Security Operations Center (SOC) framework, which brings cloud-optimized capabilities such as Cloud Access Security Broker (CASB) and uses it as a component, monitoring your user’s activity and service configuration and feeding into your overall monitoring platform, adding identity context along the way.

This does also raise the question as to the suitability of your monitoring platform against today’s threats and challenges. I talk to organizations who have very mature SOCs, using a multitude of tools, but they are having challenges in knitting together all of these tools or realizing the true value of their SOC as their analysts have got many different tools and consoles to use to find the real threats. Maybe it’s time to re-visit your SOC requirements and see what services like Oracle’s Security Monitoring and Analytics Cloud Service can do for you.

Above are just three key areas where I see organizations tripping up or missing capabilities today. There are, of course, plenty of other security considerations but we would be here until Christmas if I tried to list them all.

Oracle, a security company? – InfoSec Europe 2017

A couple of weeks ago I spent 3 days exhibiting at InfoSec Europe 2017 in London, an event I have been attending as either an exhibitor or visitor for a number of years. This year definitely seemed to be the busiest I have seen with a good mix of your usual, large vendors, as well as some great presence from the smaller security companies, clearly spending their annual marketing budgets getting their name out there with big, shiny stands.

oracleevent1

So, what was Oracle doing at a security conference I hear you ask? Don’t worry, you are not alone! During the course of the event, a number of the visitors to the Oracle stand asked me that same question.

Questions such as:

“What does Oracle do in the security space?”

and, of course, my favorite,

“You’re just a database company, right?”

Yes, it’s true, Oracle is a database company and has been for nearly 40 years. However, in case you have been living under a rock for the last couple of decades, that is by no means all that we do. As the 2nd largest software company in the world, database is only one string of our considerable bow. In the security space, specifically around software, Oracle has strong security credentials at all layers of the stack from applications to disk. In fact, if you search on the history of Oracle you will find some interesting information related to the name “Oracle”, its history, and our first customer.

So, what were we talking about on the Oracle stand to demonstrate our credentials and to show that, actually, whilst we aren’t just a database company, we do have a market leading experience in this area which is extremely relevant to today’s security conversation?

1.      EU GDPR (Well, wasn’t everyone?)

Whether you like it or not, GDPR is coming and surveys show that the UK is woefully unprepared for it. It seemed that GDPR was this year’s buzzword at InfoSec with most stands relating their solutions to GDPR, even when the link seemed tenuous at best. However, unlike some vendors, Oracle was not proposing to make you “GDPR compliant” or to solve all of your GDPR challenges. We know our strengths and where we can help customers. Think about it, where is most of your personal, digital data, which is relevant to GDPR stored? Yes, you guessed it, in a database, and as the market leader, for many visitors to InfoSec, that is the Oracle database. We understand data and furthermore, know how to secure it at source. The Oracle database has a wide range of security controls, both built-in and as additional options, which can help mitigate a number of risks identified within GDPR. This is the same whether you are using the database on-premise or in the cloud.

Whilst we have technological controls, many of my conversations with customers on this topic identify the initial GDPR challenge as finding out where their sensitive data is, before they can even think about securing it. Therefore, we also had Oracle Consulting on the stand sharing their invaluable insight with visitors on what they are seeing on their projects and how they are helping customers with a pre-packaged GDPR engagement.

2.      Identity Security Operations Centre (SOC)

Identity management has had a chequered history at InfoSec. Some years, most of the Gartner MQ vendors are exhibiting, whilst other years, not so much. Why do I think that is? Well, for me it’s quite simple, I don’t see traditional IDM as a security problem. Yes, when done properly, IDM can reduce risk, but I see IDM as a business-driven project. However, I think the role of IDM is changing. Identity can no longer be treated as a standalone project. Looking at the bigger security challenges, Identity forms a crucial part of broader security monitoring and enforcement solutions. On Thursday at the event, we had Oracle’s Group Vice President for Security, Rohit Gupta, introduce Oracle’s Identity Centric SOC, looking at how we re-think traditional security monitoring tools by putting Identity at the centre and using Identity to drive security decisions and responses across all platforms, both on-premise and in the cloud. The Identity SOC framework is Oracle’s answer to delivering the next generation of SOCs, addressing the shortfalls of traditional SOCs using the latest technological innovations such as machine learning.

 3.      Cloud Security

Following on from the previous theme of Identity SOC, many customers have solutions in place for monitoring and controlling usage of on-premise applications, however, the same controls don’t exist for cloud-based services. I spend most of my time talking to customers about their cloud strategies. We know most organizations are already on the cloud journey, whether dipping their toe in the water, or already adopting a full cloud-first strategy. However, we also know that security in the cloud is still one of the main concerns of C-level executives. We were talking about our Cloud Access Security Broker, how it can deliver against a new set of cloud security requirements, and how it forms a key part of the previously mentioned Identity SOC framework.

 4.      Oracle Cloud Security

Probably the biggest surprise for many of the visitors to the Oracle stand is that Oracle has a Cloud. Unbeknown to some of the visitors I spoke to, Oracle actually has the most complete cloud on the market, with the broadest range of services covering Data, Software, Platform, and Infrastructure as-a-Service. Just go to cloud.oracle.com to see the breadth of our capabilities. N.B. If you are interested in trying Oracle Cloud, we are currently offering $300 of free credits.

As mentioned previously, security of the cloud is one of the major concerns of C-level executives. This is the same irrespective of which cloud vendor you are using. Therefore, we spent a lot of time at InfoSec talking to visitors about how Oracle has a secure, enterprise cloud, giving them the confidence that, in many cases, the Oracle Cloud is actually more secure than their existing on-premise systems.

 

So, hopefully, I will have broadened your mind around Oracle’s capabilities. Of course, I haven’t even touched on some of the other security areas which are key for Oracle, such as the security innovations within our latest SPARC processors. That can be for another day.

Yes, Oracle is a database company and proud of it, but we do SO MUCH more.

I wonder what the ‘buzzword’ will be at next years InfoSec?

Best Practice for IAM Projects

I was recently asked to provide some best practice advice for Identity Management projects. This got me thinking and led me to write down some recommendations. I thought it might be useful to share my thoughts.

Identity Management has been delivering business value within organisations for many years. Over that time, thousands of deployment had enabled a number of lessons to be learned which can help organisations ensure that they are not taking an approach which will work against recognised good practice and cause problems as Identity requirements evolve.

Traditionally, Identity Management projects have been seen as complex, expensive and never-ending. Many people are looking to the Cloud to simplify identity management. Whilst the Cloud can introduce speed and agility into an IAM project, there are still fundamental challenges which must be addressed. The Cloud can help simplify the technology, however, as with most business transformation projects; the technology is only one part in the triad of People, Process, and Technology.

It has been seen, over and over again, that many organisations fall into the same pitfalls with IAM projects. Here are some of the areas which organisations must consider when looking at an IAM project.

Business-Driven Project – In my experience, the biggest cause of failure is when an IAM project is treated purely as an IT project. Implementing IAM has a significant impact on the business and organisational and cultural impact cannot be underestimated. At the end of the day, you are not just trying to automate existing processes, you are using the IAM project to re-evaluate business processes to make them more efficient. Early engagement with the business is crucial to the success of an IAM project, which should be seen as an enabler for business strategy, i.e. providing a foundation to open up the business on new channels (digital transformation).

Minimise Customisation – Most organisations think of themselves as unique, having individual requirements which no other organisation has. Therefore, Identity Management solutions are often heavily customised to meet existing business processes and procedures. This makes any IAM platform expensive to manage and difficult to upgrade and maintain. In reality, irrespective of industry, most organisations have very similar IAM requirements and therefore, most processes (e.g. a joiner’s process) can, and should be standardised. Offering lines of business the ultimate level of flexibility and configuration comes at a high price. Of course, there may be that one edge case which absolutely needs customisation and therefore, any IAM solution must be flexible enough to support this. However, addressing the bulk set of use cases should be as standardised as possible. Instead of approaching requirements like “What do you want the flow to be?”, you should approach it like, “Is there any reason why I can’t use this standard flow?” Whilst the Oracle IAM platform enables a high level of flexibility if it is necessary, it also provides a number of out-of-the-box configuration options to help minimise the level of customisation required. This includes (but is not limited to): A number of standard approval workflows, UIs which can be branded and configured without customisation, and a rich set of APIs where extended capability is required, but avoiding customisation of the core platform and making upgrades difficult.

Utilise Open Standards – Proprietary or bespoke integrations add another layer of complexity and cost to any deployment. Identity open standards are mature and provide a rich set of protocols, including: SAML, OAuth, OpenID Connect, SCIM, and LDAP. Where possible, open standards should be used to avoid the need to develop and maintain bespoke integrations. Oracle is a firm believer in open standards. Not only are identity open standards widely supported across our platform, but Oracle also helps to drive many of the above open standards through direct involvement in the appropriate working groups.

Consider All Identity Types – Whilst an organisation may be considering Identity Management for a specific project today, requirements evolve. Digital transformation has shown that customer focus has become more important than ever before. It is important that an organisation’s Identity Management platform is capable of handling, yet unknown Identity Management requirements, across multiple channels, for different sets of users, covering a myriad of use cases. Recognising that different use cases may require different approaches is also critical. For example, enabling digital services for a new set of customers, where all of the underpinning applications exist in the cloud may mean that those users only exist as a cloud identity. However, enabling partner access where access to systems exists across both on-premise and cloud may mean the users need to exist across both environments. It is important that organisations consider an IAM platform which has the capabilities to accommodate all such use cases as well as the correct architectural approach to delivery new requirements in the future. Oracle’s hybrid IAM platform enables this flexibility underpinned by a strong architecture.

Platform vs Point Solutions – As mentioned at the outset, Identity Management is typically seen as a long, complex, expensive project to deploy across an enterprise. There are a number of factors which affect this. However, one of the biggest costs is integration, whether between IAM products or integrating the IAM solution with external components such as target applications. Trying to plumb together Identity Management products from multiple different vendors provides unnecessary costs and complexity and will drive up delivery costs. Industry analysis[1] has shown that deploying a platform which already has the integration work completed can provide cost savings of up to 48%, leading to 35% fewer deficiencies. Adopting a platform does not mean sacrificing functionality. It is possible to get best of breed capabilities whilst still benefiting from a platform. The Oracle IAM platform is regularly recognised as a market leading in individual pillars[2].

Small, incremental wins – In today’s world of rapid agile development, no-one wants to see long running projects which deliver very little value or return until near the end. Identity Management is no different. Therefore, it is crucial that quick wins are delivered and that ongoing wins are incrementally delivered throughout the lifecycle of the project. For example, if you are doing user lifecycle management, get to grips with the process for requesting access first. Then you can start to integrate your targets, again, all in phased approaches. For access management, integrate the apps with the biggest impact on the end user experience first. Don’t focus on the app which is only used by 10 people in a single department.

Information Governance – An IAM project should align to an organisation’s information governance strategy in order to be deemed a success. This includes factors such as regulatory compliance, business continuity planning, operational security (e.g. key management, vulnerability scanning etc.) and should consider integration with such dependent IT systems when delivering any IAM project.

Many of the above points may seem like common sense and the logical approach. Indeed, I am seeing a shift within customers as some of these points are being now being actively rolled into projects and business requirements. However, I am also still seeing the older approach. Hopefully, this post has been useful in providing some pointers for your next IAM project.

 

[1] Aberdeen Group “Analysing Point Solutions vs Platforms”

[2] Gartner Magic Quadrant for Identity Governance and Administration 2016