Head over to Oracle’s Cloud Security blog to see my latest blog post on how identity management can help to enhance SaaS.
Unless you are new to my blog posts, you will know that I spend most of my time talking to organizations about security, whether that is data security, cloud security, people security, or application security. If you are new to my blog posts, then welcome. I hope you enjoy them and find them useful and informative.
For the last 12-18 months, a fair amount of my work and many of my conversations have been in relation to GDPR. I personally think that GDPR is a great step forward for privacy and security. It does a good job of ‘encouraging’ organizations to put more thought and control into how they use and protect personal and sensitive data. However, this post isn’t about how great GDPR is.
Watching the security news and market trends in security, I have seen a lot of different marketing messages and approaches from different IT vendors and consulting companies on the best ways to address GDPR.
Unsurprisingly, from the consultants, it’s all about business transformation and process change, whilst the IT vendors pontificate about how much you need their technologies and how their products are the answer to GDPR. In most cases, much of the marketing has been around the, now much quoted fines. Having worked in security for a long time, I have regularly seen security products marketed based on FUD (Fear, Uncertainty, and Doubt), usually generated by alarming statistics. From a fines point of view, you don’t get much more alarmist than
“4% of global annual turnover”
(many quoted stats failing to mention the “up to” in front of that)
This scaremongering annoys me and it’s not just me. In a recent blog post, the UK ICO, Elizabeth Denham clearly has the same frustrations. Don’t get me wrong, the fines are important and are a key factor in how seriously organizations are taking GDPR. However, there are other ramifications of not following the GDPR, which also play key factors for any organizational program to address it.
So, how do I think the industry should be talking to organizations about GDPR? It’s simple, they should be helping them, not scaring them? Here are some observations I have made over the last few months.
Lay out the facts of the regulation, not some biased interpretation that suits your product. If the conversation does include a discussion around fines, then talk about the fact that fines are tiered and that article 83 talks about ‘taking into account technical and organizational measures’ when deciding whether to impose administrative fines. Also, talk about the other punitive measures and potential outcomes of a data breach.
Revolution vs Evolution
How revolutionary really is GDPR? We have had many regulations covering various elements of information security for a long time. You will all have heard of, or be familiar with SOX, DPA, PCI-DSS, HIPAA, FedRAMP etc (I could go on). Many of these regulations cover similar themes such as data encryption, authentication, authorization, patching etc. Therefore, for many organizations, some of the processes and controls necessary for GDPR will already be place. Of course, there are elements of GDPR, which are posing more of a challenge than others, especially around the data privacy elements. These should not be under-estimated.
Don’t Oversell or be oversold to
If your company sells a product or solution that can help an organization address a certain element of GDPR, don’t oversell it as a way of ‘solving GDPR’. As an organization battling with GDPR, be wary of any companies that claim that their solution will ‘make you GDPR compliant’. I have seen software vendors as well as cloud vendors claim this. There is a lot of work to do for GDPR. I don’t see how any vendor can claim to make you GDPR compliant. If, for example, you put your data into a cloud provider, they will be the data processor but the organization will still be the data controller and therefore have their own responsibilities.
As an organization, you should understand where any potential vendor or provider could help, what parts of GDPR it can help with and the limits of that solution.
Identify Quick Wins
GDPR is a business transformation program. It will require business/process/technical changes and those will take time. However, there are things that can be done in parallel. An organization should be looking at quick wins that can help start taking baby steps towards their end goal, rather than waiting until all of the upfront ‘consulting’ work is completed. For example, this could be to start using technology to help find personal and sensitive data within systems, or to start enabling encryption to secure personal data at rest. This gives two benefits. Firstly, when May 2018 arrives, it shows that an organization is making real progress in relation to GDPR. Secondly, we are all seeing the frequency and scale of data breaches in the press. Ignoring GDPR for a moment, just having appropriate controls in place to protect sensitive data (whatever it is), all helps towards mitigating potential exposure.
12 months ago, I would go in, mention GDPR, and get many blank faces. However, today, most organizations I talk to understand what GDPR is and have a program in place. The maturity of that program varies dramatically, but, at least they have taken the first steps, if not, are nicely heading along their journey. Therefore, covering the basics of GDPR at every session isn’t always necessary. I have seen people present an overview of GDPR to the head of an organization’s GDPR program. If you are a vendor or supplier, be aware of your audience’s existing knowledge.
When I talk to organizations about GDPR, I always try to follow my own advice. Whether I am talking about how Oracle can help with technology controls for managing and monitoring user access or data security, or if I am talking about how moving workloads to Oracle Cloud can enhance security, I am always conscious that I follow my own rules, be as honest as possible and don’t oversell, or incorrectly position anything we do. I hope others do too and that organizations recognize when they are being oversold.
“Trust is like the air we breathe-when it’s present, nobody really notices; when it’s absent, everybody notices.”
This quote from Warren Buffett is particularly relevant in today’s world of the cloud. As I explained in my previous post, whenever you use a cloud provider you are entering into a shared responsibility model where the cloud provider will be responsible for the security of the cloud and you are responsible for the security in the cloud.
However, when you are considering a cloud provider you must think carefully about trust. For example, do you trust your cloud provider not to look at your data, do you trust the effectiveness of their security controls, not just externally but including their own operations staff, and are you confident they would inform you if they suffered a breach?
With the advent of cloud computing, the barrier of entry for budding, small software companies has never been lower. As a result, we are constantly seeing new start-ups, especially in the fast-paced world of security. However, security is hard to get right and designing your software in a secure manner requires experience and skills. Unfortunately, vendors don’t always get it right. Don’t worry, this post isn’t a witch hunt against small vendors who have got it wrong. Read on and i’ll explain.
We all know that data breaches happen on an almost daily basis as they are constantly in the news. Take the most recent story last week about Verizon and the loss of data from their cloud provider’s storage services. I could go on and list many more attacks but that’s not the purpose of this article.
When considering cloud providers you need to ask yourself whether you can trust that provider. Even if you do, I belief that you should still work on the assumption that your data will be breached. Yes, you heard me correctly. No matter what controls you or your cloud provider have in in place, if you make the assumption of a data breach, it will allow you to think about your security controls and your response to any breach in a different light. If we continue with that working assumption, then we should be asking ourselves two key questions.
1) Is my provider building secure software and platforms?
If security were easy then we wouldn’t see as many successful attacks in the news as we do. Unfortunately, even with the best intentions, cloud providers don’t always get it right. Take the recent example of the OneLogin attack last month, when, according to reports, an attacker was able to get access to some AWS keys and start exfiltrating sensitive data from the database. Should the keys with such powerful access have even been in an internet-facing location? If not, then was this a mistake or a design flaw? Is this the fault of the cloud provider or the software company? Whatever the answers to these questions, it was clearly an issue which led to a breach.
This comes back to security assurance and solid design and implementation throughout the software development lifecycle. As a security-focused company, security is something Oracle has always taken seriously. We have a well-established software security assurance framework, which, as the above link states its intention is:
“Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance (OSSA) is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products”
Anyone who has worked in security for any length of time knows that security isn’t a one-off event, but, is something which has to be built into your overall development lifecycle from start to finish.
This leads us to our second question.
2) How well does my provider respond to a data breach or security issue?
Even with the best will in the world and the best QA processes, mistakes do happen, either through bugs or poor design choices. Therefore, how a company responds to any issues is of paramount importance. Since I used a cloud-based SSO provider in my previous example, why not do the same again, this time LastPass. They have been plagued by a number of security issues recently as Tavis Ormandy from Google’s Project Zero has been digging into their service. However, as a responsible cloud provider, they have been extremely responsive in responding to, and fixing the issues quickly. This is what we need and have to expect from cloud providers in this world where our data is always online and typically accessible over the internet.
For all of your cloud providers, do trust that they would notify you in the event of a data breach? Within what timescales would they notify you? As for Oracle, we document our response to security breaches and our notification policy in our Data Processing Agreement. We want customers to have the confidence that we know what we are doing and that we have built an enterprise cloud platform, providing a secure set of services underpinned by a secure platform, with all the necessary governance, policies and procedure in place to ensure that we minimize any risk but also, identify, and respond to any incidents that may occur.
As I have mentioned in previous blog posts, I spend a significant amount of my time talking to customers about their Cloud strategy, explaining to them about security controls they should consider when moving to Cloud, and, how Oracle addresses security within its own Cloud.
One area that still surprises me in my discussions with organizations is the common mis-conception that a Cloud Provider is solely responsible for the security of their data within the Cloud. Even before the looming threat of GDPR compliance and fines, Cloud has always been a model of shared responsibility. Gartner discussed this in a report back in April 2016. Their summary explains this concept well:
“While public cloud providers typically have strong control attestations, numerous compliance certifications and their own security features, CSPs cannot offer complete security. CISOs and security leaders must understand the scope of their responsibilities for security in the cloud.”
The way I like to explain it is that Oracle (as a Cloud Provider) is responsible for security of the cloud, whilst you, the customer, are responsible for the security in the cloud. You might think that this is just semantics but the differentiation is important. There are a couple of ways to look at this:
At a high level, you can see that whilst the Cloud Provider has some responsibilities, actually, the customer also has a significant number of areas where the control either is wholly theirs, or shared with the Cloud Provider. Even in the red area above, there is still shared responsibility. The wedge shows how this differs depending on the type of Cloud service a customer is using.
As you can see from the diagram above, the customer responsibility for security can be a significant undertaking, especially if adopting IaaS. This is often why customers will choose to adopt PaaS or SaaS offering. Whilst the higher up the ‘as-a-service’ stack you go, the less flexibility you get, you also get less responsibility for security and less to operationally manage.
One point of interest in the graphic above is that the common customer responsibilities across all three services are the data and the service configuration.
Think about it, if you subscribe to Database-as-a-Service, you will be provisioned a secure instance of database (at least in Oracle Cloud you will). For Oracle, that instance will have a number of security controls already in place and enabled by default, such as encryption at rest, SSH access with key-based authentication, configured but disabled firewall rules etc. Beyond that, Oracle will also be securing the infrastructure itself, everything from the data center, up to the instance, providing a range of technology, people, and process controls (the bits in red in the diagram). However, if, as part of the your service configuration, you decide to open up all ports on the firewall to that instance, upload you production data, and enable a powerful DBA-level account with a simple password, the chances are, your data will be compromised. I hope that illustrates why shared responsibility is so important and, as a customer, you must be clear on what you are responsible for and what the Cloud Provider is responsible for, recognizing that this will be different across IaaS, PaaS, and SaaS.
So, what does this mean for your cloud services? You need to ensure that you have sufficient controls in place to protect your cloud services. Some of these controls will be provided by the Cloud Provider, but managed by you, e.g. user management, whilst others are additional controls that you should be implementing as part of your overall security strategy. Below are three key considerations you should be thinking about.
User Management – For any cloud service you subscribe to you will have to manage the users who have access and the level of access they have. As your number of cloud services increase as well as the number of Cloud Providers you use also increases, this is re-introducing the whole problem of Identity Management (IDM), which organizations have been addressing on-premise for a long time. What makes Cloud different is that you may well be opening up services to new user bases such as customers and partners.
When looking at IDM in the cloud, it is imperative that it isn’t treated in isolation. You must ensure you have the same controls and governance over your cloud services as you do for existing, on-premise systems. This may mean extending your existing IDM to cover your cloud services, integrating a cloud-based IDM platform with your on-premise, or moving your IDM to a pure cloud IDM platform. Oracle is ideally placed to support you in all three scenarios with our most comprehensive IAM platform, combining a market-leading IAM on-premise platform, with a modern, new, cloud IAM platform. You can find more details here.
Network Access – When using a Cloud Provider, the default access is over the internet. For many customers, this is ideal as it removes technology constraints for their users accessing the services. However, in some cases, this may not be good enough. Therefore, you must carefully consider how you will integrate with your Cloud Provider. Most providers include a number of private connection options. For Oracle, there are a number of options ranging from VPNs, through to Fast Connect and MPLS connections, depending on your requirements.
User/Service Monitoring – This is not an area that is usually thought about by organizations, but with the modern, sophisticated, low and slow attacks, understanding how users are using your cloud services and building up profiles of normal vs anomalous behavior is hugely important in identifying threats. Also, understanding how a cloud service is configured and whether that configuration has changed is important. You may have done your due diligence when setting up your cloud service, e.g. Office 365, but how often do you go back and check the configuration is still secure and hasn’t change? As with IDM, user/service monitoring should not be done in isolation but should feed into your existing monitoring capabilities. I would argue that monitoring of your cloud services is actually more important that monitoring those systems buried deep behind firewalls in your internal network. Why, because typically cloud services are accessible over the internet 24x7x365. I briefly talked last time about the concept of an Identity Security Operations Center (SOC) framework, which brings cloud-optimized capabilities such as Cloud Access Security Broker (CASB) and uses it as a component, monitoring your user’s activity and service configuration and feeding into your overall monitoring platform, adding identity context along the way.
This does also raise the question as to the suitability of your monitoring platform against today’s threats and challenges. I talk to organizations who have very mature SOCs, using a multitude of tools, but they are having challenges in knitting together all of these tools or realizing the true value of their SOC as their analysts have got many different tools and consoles to use to find the real threats. Maybe it’s time to re-visit your SOC requirements and see what services like Oracle’s Security Monitoring and Analytics Cloud Service can do for you.
Above are just three key areas where I see organizations tripping up or missing capabilities today. There are, of course, plenty of other security considerations but we would be here until Christmas if I tried to list them all.
A couple of weeks ago I spent 3 days exhibiting at InfoSec Europe 2017 in London, an event I have been attending as either an exhibitor or visitor for a number of years. This year definitely seemed to be the busiest I have seen with a good mix of your usual, large vendors, as well as some great presence from the smaller security companies, clearly spending their annual marketing budgets getting their name out there with big, shiny stands.
So, what was Oracle doing at a security conference I hear you ask? Don’t worry, you are not alone! During the course of the event, a number of the visitors to the Oracle stand asked me that same question.
Questions such as:
“What does Oracle do in the security space?”
and, of course, my favorite,
“You’re just a database company, right?”
Yes, it’s true, Oracle is a database company and has been for nearly 40 years. However, in case you have been living under a rock for the last couple of decades, that is by no means all that we do. As the 2nd largest software company in the world, database is only one string of our considerable bow. In the security space, specifically around software, Oracle has strong security credentials at all layers of the stack from applications to disk. In fact, if you search on the history of Oracle you will find some interesting information related to the name “Oracle”, its history, and our first customer.
So, what were we talking about on the Oracle stand to demonstrate our credentials and to show that, actually, whilst we aren’t just a database company, we do have a market leading experience in this area which is extremely relevant to today’s security conversation?
1. EU GDPR (Well, wasn’t everyone?)
Whether you like it or not, GDPR is coming and surveys show that the UK is woefully unprepared for it. It seemed that GDPR was this year’s buzzword at InfoSec with most stands relating their solutions to GDPR, even when the link seemed tenuous at best. However, unlike some vendors, Oracle was not proposing to make you “GDPR compliant” or to solve all of your GDPR challenges. We know our strengths and where we can help customers. Think about it, where is most of your personal, digital data, which is relevant to GDPR stored? Yes, you guessed it, in a database, and as the market leader, for many visitors to InfoSec, that is the Oracle database. We understand data and furthermore, know how to secure it at source. The Oracle database has a wide range of security controls, both built-in and as additional options, which can help mitigate a number of risks identified within GDPR. This is the same whether you are using the database on-premise or in the cloud.
Whilst we have technological controls, many of my conversations with customers on this topic identify the initial GDPR challenge as finding out where their sensitive data is, before they can even think about securing it. Therefore, we also had Oracle Consulting on the stand sharing their invaluable insight with visitors on what they are seeing on their projects and how they are helping customers with a pre-packaged GDPR engagement.
2. Identity Security Operations Centre (SOC)
Identity management has had a chequered history at InfoSec. Some years, most of the Gartner MQ vendors are exhibiting, whilst other years, not so much. Why do I think that is? Well, for me it’s quite simple, I don’t see traditional IDM as a security problem. Yes, when done properly, IDM can reduce risk, but I see IDM as a business-driven project. However, I think the role of IDM is changing. Identity can no longer be treated as a standalone project. Looking at the bigger security challenges, Identity forms a crucial part of broader security monitoring and enforcement solutions. On Thursday at the event, we had Oracle’s Group Vice President for Security, Rohit Gupta, introduce Oracle’s Identity Centric SOC, looking at how we re-think traditional security monitoring tools by putting Identity at the centre and using Identity to drive security decisions and responses across all platforms, both on-premise and in the cloud. The Identity SOC framework is Oracle’s answer to delivering the next generation of SOCs, addressing the shortfalls of traditional SOCs using the latest technological innovations such as machine learning.
3. Cloud Security
Following on from the previous theme of Identity SOC, many customers have solutions in place for monitoring and controlling usage of on-premise applications, however, the same controls don’t exist for cloud-based services. I spend most of my time talking to customers about their cloud strategies. We know most organizations are already on the cloud journey, whether dipping their toe in the water, or already adopting a full cloud-first strategy. However, we also know that security in the cloud is still one of the main concerns of C-level executives. We were talking about our Cloud Access Security Broker, how it can deliver against a new set of cloud security requirements, and how it forms a key part of the previously mentioned Identity SOC framework.
4. Oracle Cloud Security
Probably the biggest surprise for many of the visitors to the Oracle stand is that Oracle has a Cloud. Unbeknown to some of the visitors I spoke to, Oracle actually has the most complete cloud on the market, with the broadest range of services covering Data, Software, Platform, and Infrastructure as-a-Service. Just go to cloud.oracle.com to see the breadth of our capabilities. N.B. If you are interested in trying Oracle Cloud, we are currently offering $300 of free credits.
As mentioned previously, security of the cloud is one of the major concerns of C-level executives. This is the same irrespective of which cloud vendor you are using. Therefore, we spent a lot of time at InfoSec talking to visitors about how Oracle has a secure, enterprise cloud, giving them the confidence that, in many cases, the Oracle Cloud is actually more secure than their existing on-premise systems.
So, hopefully, I will have broadened your mind around Oracle’s capabilities. Of course, I haven’t even touched on some of the other security areas which are key for Oracle, such as the security innovations within our latest SPARC processors. That can be for another day.
Yes, Oracle is a database company and proud of it, but we do SO MUCH more.
I wonder what the ‘buzzword’ will be at next years InfoSec?
I was recently asked to provide some best practice advice for Identity Management projects. This got me thinking and led me to write down some recommendations. I thought it might be useful to share my thoughts.
Identity Management has been delivering business value within organisations for many years. Over that time, thousands of deployment had enabled a number of lessons to be learned which can help organisations ensure that they are not taking an approach which will work against recognised good practice and cause problems as Identity requirements evolve.
Traditionally, Identity Management projects have been seen as complex, expensive and never-ending. Many people are looking to the Cloud to simplify identity management. Whilst the Cloud can introduce speed and agility into an IAM project, there are still fundamental challenges which must be addressed. The Cloud can help simplify the technology, however, as with most business transformation projects; the technology is only one part in the triad of People, Process, and Technology.
It has been seen, over and over again, that many organisations fall into the same pitfalls with IAM projects. Here are some of the areas which organisations must consider when looking at an IAM project.
Business-Driven Project – In my experience, the biggest cause of failure is when an IAM project is treated purely as an IT project. Implementing IAM has a significant impact on the business and organisational and cultural impact cannot be underestimated. At the end of the day, you are not just trying to automate existing processes, you are using the IAM project to re-evaluate business processes to make them more efficient. Early engagement with the business is crucial to the success of an IAM project, which should be seen as an enabler for business strategy, i.e. providing a foundation to open up the business on new channels (digital transformation).
Minimise Customisation – Most organisations think of themselves as unique, having individual requirements which no other organisation has. Therefore, Identity Management solutions are often heavily customised to meet existing business processes and procedures. This makes any IAM platform expensive to manage and difficult to upgrade and maintain. In reality, irrespective of industry, most organisations have very similar IAM requirements and therefore, most processes (e.g. a joiner’s process) can, and should be standardised. Offering lines of business the ultimate level of flexibility and configuration comes at a high price. Of course, there may be that one edge case which absolutely needs customisation and therefore, any IAM solution must be flexible enough to support this. However, addressing the bulk set of use cases should be as standardised as possible. Instead of approaching requirements like “What do you want the flow to be?”, you should approach it like, “Is there any reason why I can’t use this standard flow?” Whilst the Oracle IAM platform enables a high level of flexibility if it is necessary, it also provides a number of out-of-the-box configuration options to help minimise the level of customisation required. This includes (but is not limited to): A number of standard approval workflows, UIs which can be branded and configured without customisation, and a rich set of APIs where extended capability is required, but avoiding customisation of the core platform and making upgrades difficult.
Utilise Open Standards – Proprietary or bespoke integrations add another layer of complexity and cost to any deployment. Identity open standards are mature and provide a rich set of protocols, including: SAML, OAuth, OpenID Connect, SCIM, and LDAP. Where possible, open standards should be used to avoid the need to develop and maintain bespoke integrations. Oracle is a firm believer in open standards. Not only are identity open standards widely supported across our platform, but Oracle also helps to drive many of the above open standards through direct involvement in the appropriate working groups.
Consider All Identity Types – Whilst an organisation may be considering Identity Management for a specific project today, requirements evolve. Digital transformation has shown that customer focus has become more important than ever before. It is important that an organisation’s Identity Management platform is capable of handling, yet unknown Identity Management requirements, across multiple channels, for different sets of users, covering a myriad of use cases. Recognising that different use cases may require different approaches is also critical. For example, enabling digital services for a new set of customers, where all of the underpinning applications exist in the cloud may mean that those users only exist as a cloud identity. However, enabling partner access where access to systems exists across both on-premise and cloud may mean the users need to exist across both environments. It is important that organisations consider an IAM platform which has the capabilities to accommodate all such use cases as well as the correct architectural approach to delivery new requirements in the future. Oracle’s hybrid IAM platform enables this flexibility underpinned by a strong architecture.
Platform vs Point Solutions – As mentioned at the outset, Identity Management is typically seen as a long, complex, expensive project to deploy across an enterprise. There are a number of factors which affect this. However, one of the biggest costs is integration, whether between IAM products or integrating the IAM solution with external components such as target applications. Trying to plumb together Identity Management products from multiple different vendors provides unnecessary costs and complexity and will drive up delivery costs. Industry analysis has shown that deploying a platform which already has the integration work completed can provide cost savings of up to 48%, leading to 35% fewer deficiencies. Adopting a platform does not mean sacrificing functionality. It is possible to get best of breed capabilities whilst still benefiting from a platform. The Oracle IAM platform is regularly recognised as a market leading in individual pillars.
Small, incremental wins – In today’s world of rapid agile development, no-one wants to see long running projects which deliver very little value or return until near the end. Identity Management is no different. Therefore, it is crucial that quick wins are delivered and that ongoing wins are incrementally delivered throughout the lifecycle of the project. For example, if you are doing user lifecycle management, get to grips with the process for requesting access first. Then you can start to integrate your targets, again, all in phased approaches. For access management, integrate the apps with the biggest impact on the end user experience first. Don’t focus on the app which is only used by 10 people in a single department.
Information Governance – An IAM project should align to an organisation’s information governance strategy in order to be deemed a success. This includes factors such as regulatory compliance, business continuity planning, operational security (e.g. key management, vulnerability scanning etc.) and should consider integration with such dependent IT systems when delivering any IAM project.
Many of the above points may seem like common sense and the logical approach. Indeed, I am seeing a shift within customers as some of these points are being now being actively rolled into projects and business requirements. However, I am also still seeing the older approach. Hopefully, this post has been useful in providing some pointers for your next IAM project.
 Aberdeen Group “Analysing Point Solutions vs Platforms”
 Gartner Magic Quadrant for Identity Governance and Administration 2016
The shift from desktop and laptop to mobile working is well underway. Many organisations today have either written one (or more) mobile applications for their customers/employees, or are considering it. They understand the importance that mobile computing is having and its growing dominance in the next few years as the primary platform for many users. However, as the use of the platform grows so do users’ expectations. They want an immersive, engaging experience, not just a mobile-friendly rendering of a website. If you don’t capture that ‘wow factor’ within the first few minutes, your app will be deleted.
From a security perspective, this causes IT a challenge. Now you have sensitive information being delivered outside of your network and stored on a potentially unsecured device. On top of that we now have the added complexity of an additional channel to deal with. To make matters worse, customers have come to expect security to deliver them an enhanced user experience, not just control their access to information. For example, user take web-based SSO for granted. You don’t expect to have to enter your credentials more than once when you access a company’s website. Typically, users don’t differentiate between a web and mobile channel and therefore expect the same level of user experience. This can be a challenge for an organisation to deliver. How do you re-use that existing Identity and Access Management platform that you have deployed for your web channel and extend it out to your mobile channel, thus gaining re-use whilst saving time and costs.
Fortunately, Oracle makes it extremely easy to do through our Mobile Application Framework. Now, you can take your existing Oracle Identity and Access Management platform and use it as the security layer within your mobile applications. You can use the full capabilities of the platform including risk-based authentication, social identity authentication, as well as authorisation. What’s even better is that you can achieve all of this without writing a single line of code. Yes, that’s right, no coding required.
Let me show you how.
First let’s take a look at my sample application. It won’t win any awards for design, but as you can see it’s made up of 3 separate features (N.B. a feature is a capability).
At the moment, there is no security enabled within the app so you can move back and forth between the features without any authentication.
Now we are going to add two different types of authentication to our application. Yes, as you guessed, the first is a risk-based authentication and the second is social login. Within my environment, I am using JDev 12c (12.1.3) and have Oracle Access Management installed and configured to protect web-based content. Therefore, the user directory and underlying connections are already configured. I have also enabled its Mobile and Social capability.
1. Oracle Access Management Mobile and Social Configuration
When you first enable Mobile and Social, most of the configuration is already setup for you by default. In addition to the out-of-the-box configuration, I created an Application Profile for my MAF application.
The key settings here are to configure it as a “Mobile Configuration” and to provide the platform specific settings. I then configure the MobileServiceDomain.
In this screen I need to configure the security handler and then link my Application Profile to the service domain. Since we want risk-based authentication, then we select the pre-defined “OaamSecurityHandlerPlugin”. After adding our MAFTest application profile to this domain we can save the changes.
That’s all we need to configure on the server side for now, so we can focus on our MAF application.
2. MAF Sample Application Configuration
Within my application I can easily see the three features that I have defined. At the moment, none of them have security enabled. We will start by enabling security for the Risk-based login. This is done by checking the box under “Enable Security”.
We have told MAF that we want to secure that feature but not how we will authenticate. So, the next step is within MAF-application.xml where we define the connection for our security server. In our case we are configuring a connection to our OAM mobile and social service. We do this by adding a new MAF Login Connection.
As you can see we have used the Service Domain and Application Profiles that we created earlier. Also, I am using a HTTP load balancer between my application tier and external, so I am pointing my connection at port 80. If you were connecting directly to OAM on the default port you would specify port 14100.
Now that I have defined the connection, I can associate that new MAF Login connection with the feature I have enabled security for.
Now, I can save all of my work and deploy my application.
This time when I try to access the risk-based login feature, I get a very different user experience.
Firstly, I am prompted for authentication. These are the same credentials that I would use for any other access (e.g. web-based access) since we are re-using the same access management platform. However, rather than just providing username and password authentication, as part of the login process the Oracle Access Management platform is undertaking a risk-based assessment of the attempted login. It is capturing a number of characteristics such as the device’s unique fingerprint and location information and comparing it to standard behaviour. In this case, it has decided that there is sufficient risk to require an additional level of authentication, which is does through sending me a one-time code. This could just as easily be configured to require me to answer a pre-registered challenge question. You can see a summary of the session within the risk engine web-based UI below.
This shows the a number of policies were executed, a risk score determined and an action of “Challenge” was decided. For organisations not using the risk-based capability of Oracle Access Management, we can provide standard, non risk-based authentication. All we need to do is change the security plugin within the Access Management to use the standard plugin.
So, in summary, what we have just seen is that through configuration alone we have provided security to our sample MAF application using our existing Access Management platform and without writing a single line of code, all through point and click configuration.
Now, let’s extend our use case slightly. We have provided risk-based authentication but what about a lower level of authentication. Many organisations are taking advantage of social authentication to onboard user’s easier and lower the barrier of entry to user’s to access personalised content. It also gives organisations access to a range of social information about the user they wouldn’t previously have had access to. Of course, most social networks expose the APIs to provide this. However, despite using open standards such as OAUTH and OpenID, the integration with each social network is slightly different in its use and configuration. We have extended Oracle’s Access Management platform to take away the headache of trying to integrate with each individual social provider and instead made it a configuration exercise. Yes, you guessed it, without any coding for the developer of your mobile application. Let’s have a look at the configuration.
3. Social Identity Server Side Configuration
The first step is configure each of our providers that we want to use. Whilst most social identity providers offer their services for free, you have to register and obtain the necessary API tokens to call their service. Within the Access Management console we define the connection specific settings, such as those shown below for Facebook.
Instructions are provided in the product documentation around how to obtain the consumer key and secret needed. As you can see, we also define which attributes we want the social provider to return. At the time of writing this, the Oracle Access Management platform provider out-of-the-box integration with Facebook, Twitter, LinkedIn, Google, and Yahoo. You can create your own custom providers if you have requirements beyond these.
Once we have configured the providers, we define an Application Profile covering social identity login.
This application profile includes details of which social providers we want to enable and how we map the attributes returned from each provider to local attributes in the user repository. In our example, we will just configure Facebook first.
We then create a new Service Domain to link our Application Profile to social login.
Again, that is all we need to configure on the server side. Now to focus on the client.
2. MAF configuration for social identity integration
As before, the first step is to tell MAF that we want to secure our second feature.
We then have to create a new MAF Login Connection for our social integration.
Just as before we create a new connection and configure it to point to the configurations we defined above. Once we have created the connection, we map it to the feature that we want to apply it to, in our case, mycomp.Help2.
That’s it for configuration. Now we can deploy and test our application. This time, after deploying we see a very different flow.
The user is shown their available social providers and they pick one. They are then taken to that provider to authenticate and provider consent (if they haven’t done previously) before being returned to the sample app as an authenticated user.
What’s really nice about this approach is that if I want to change providers, I can make the change server side and it immediately takes effect. So, if I wanted to add Google as a second provider, I make the change in the Oracle Access Management console to add Google to my Application Profile.
When I apply the change, the next time I try to login to my MAF application through social integration I see that change.
Of course, all of the login screens etc that you have seen can be customised. I am using the default, out-of-the-box screens for simplicity.
In summary, what you have seen in the last section is how I can configure a MAF application to support authentication through a range of social identity providers, again without writing a single line of code.
There is also a great video from a colleague that explains each component in a bit more detail.
I hope you found this useful.
During a job interview several years ago, I was asked a question that has stuck with me ever since. The question was along the lines of:
“If you could offer one piece of security advice to your customer, what would it be?”
At the time, my immediate answer was “Education, education, education. Teach your employees about security as they are the weakest link in the chain.” Over the years since that interview (disclosure: I got the job), I have often thought whether I could have provided a better answer. In fact, when I interview candidates for jobs today I often ask them that same question to see what their response it. I receive a variety of answers, usually technical.
So far, I haven’t come up with a better answer. Sure, we need to enforce perimeter security as well as standard security best practice, such as “Least Privilege” etc, but I can’t think of a single more important security lesson that my lesson above. You can have a very mature Information Security Management System will all the right controls in place but if you have a compromised user, or even worse a compromised, privileged user, then many of those controls are ineffective.
It is commonly recognised that security controls are a combination of people, processes, and technology. I think, too often we pay too little attention to the people aspect. Security controls have to be looked at holistically, taking into account all three of these facets. That will ensure that you can minimise the potential loss when you are hacked.
Yes, I use the term “when” as opposed to “if”. Every day almost, we see reports of data breaches, many from companies with good security controls in-place. Therefore, I believe it is naive to think that your organisation is un-hackable. That is why it is so important to make sure you have the right security controls and training in place, before this happens, not after.
Over the last two days I have had the privilege of participating in a summit of industry experts to look at innovative ways that technology can help prevent online sexual abuse of children. The event, organised by WeProtect, brought together over 80 individuals from around 40 companies to look at the threats and how they can be addressed.
It was great to see so many competitor organisations putting their differences to one side, leaving their company affiliations (and egos) at the door and instead working together, as individuals to come up with solutions to these very real threats to our children, not just in the UK, but globally. There were some fantastic and inspiring ideas generated that I hope we can build on and, as an industry, start to deliver over the coming months.
Of course, as expected some of these solutions are not overnight fixes and there is no silver bullet to solve this problem (or it would have been done already). However, there were some very pragmatic, tactical solutions that are eminently achievable without hvaing to move mountains.
It was a real honour to work with my industry colleagues at this event on such a difficult and emotive subject that everyone at the event was so passionate about. It’s time like this when I am really proud of the work that the collaboration of great minds can produce.
“It is the intention of the Civil Service Reform Plan and the new Security Classification Policy that there is greater emphasis on user responsibility, reducing expensive and overbearing technical controls. This requires proper training to assist users in handling sensitive information, and auditing to verify users are acting responsibly.
Users should be trusted to carry out their roles and given the responsibility to do so securely.
Audit and verification of user behaviour should be used to ensure policy compliance instead of preventative measures which add cost and degrade productivity. Such audit and verification should be implemented by services or network infrastructure, away from the end user device.”
I find this a shocking statement. You only have to look at the press or read the annual Verizon Data Breach report to show that the threat from insiders is growing (14% in 2013) with 13% of breaches occurring from privilege misuse or abuse.
It’s very brave (or stupid) to rely on detective controls and therefore close the stable door, only once the horse has bolted. Surely the cost and ‘degraded productivity’ should be measured against the increased risk and reduced compliance.
I would argue that to use security as an enabler, you must ensure that you do have the appropriate mix of preventative AND detective controls in place before you can enable those services that are going to provide the real benefits and savings.