Security in the modern day Digital eXperience

What is Digital Experience (DX) ?
Digital experiences have become the cornerstone of just about every customer experience, driven in part by the rapid spread of customer activity among web, mobile, and social channels.The typical user experience has moved beyond desktop and laptop screens to an astonishing and growing array of mobile devices.
In the Oracle World, DX combines WebCenter, ADF including WC Sites, WC Content, WC Sites etc. DX Security should be a no-brainer at the end of this article.

Why do we need DX Security/Use Cases ?

• No defined network perimeter : Network Security spend more than 67% on network security. With digital economy demanding more collaboration and seamless user experience, new points of control need to be introduced : User identities, permissions/ access to IS etc. Cloud Computing and Mobile has further blurred network security.Sensitive data that was secured behind a robust enterprise firewall is now accessible via low-cost smart phones. 

• Transformation of the perimeter : “Businesses now invest in security rather than spend on it. Security architects need to design security systems that complement business policies and processes.” - Chris Gavin, vice president, Information Security, Oracle. 

• A “trust but verify” approach to both enable productivity and address security governance requirements. The objective is to establish one consistent security framework underlying all information systems. Because users and sensitive data are part of every transaction, identity management and database security are the common denominators of addressing most security requirements. 

• Re-architecture of IT within organizations : Most services are being performed via software solutions that are architected in the cloud rather than on-premises requiring real-time exchange of accurate information. Organizations rely on identity management technology to facilitate dynamic trust relationships and support regulatory compliance requirements. 

• Risk-Aware Architectures : Security architects are tasked with developing “risk-aware” architectures that factor in legal liabilities, the privacy of partner and customer data, and regulatory requirements. These security policies ensure that the organization is ready for internal and external audits.

•         Mobile Security :
  o   By 2020, 80 percent of access to the enterprise will be via mobile devices and other non-PC devices, up from 5 percent today.
  o   External providers will authenticate 60 percent of all users connecting with enterprises.
  o   By 2020 there will be more than 50 billion IP-enabled devices in use around the world.

• Internet of things (IoT):According to Vadim Lander, chief identity architect at Oracle, there are three types of security concerns associated with the Internet of Things:
  
  o   Device Identity
  o   Application Identity
  o   User Identity

• Cloud Security : Customers that contract with cloud vendors need to be able to control the identity management process for external applications and on-premises apps via single-sign-on procedures. These solutions should also make it easy to provision and de-provision users and to extend entitlement credentials from on-premises applications to cloud applications. Such controls are even more important when securing databases. According to IDC, 66 percent of today’s most sensitive data resides in relational databases.

• Oracle Security Taxonomy as a measure of good security Design :Latency and consistency are two variables used to measure good security design. The objective is to reduce the latency of change and increase consistency across systems and applications. Oracle engineers hardware and software to work together. This cohesive approach reduces the latency of change and increases consistency. By embedding security technology into every layer of the technology stack and securing the integration between layers, Oracle not only delivers better performance with a smaller footprint, it also provides better security at a lower cost.

An IDM DX Use Case : Oracle DX with API Gateway : WCC and Anti-Virus support for Check-in of Files using OAG as first line of defense.

References : I wished to summarize and set context using the following articles as source :
Security Architecture in the new Digital Experience Whitepaper (Oracle)
Enabling Secure Consumer Mobility (Kanishk Mahajan, Oracle Product Mgmt)

Oracle API Gateway (OAG) : Concept & marriage with SOA & Mobile

Oracle API Gateway is a standards-based, policy-driven, standalone software security solution that provides first line of defense in Service-Oriented Architecture (SOA) environments.

It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems.

Oracle Web Services Manager(OWSM) is generally used for application security of a particular service,most customers have any use cases around DMZ or Perimeter Security for Web Services. This product serves as a part of the enterprise security solution.

This would be typically for customers needing access to web services from the internet, similar to how we access a web application. OAG can do a  lot of validations
and route the requests only once those checks have passed. This may also be a typical use case for Mobile Applications which use REST Web Services at the backend.

I have seen a strong value in this security product for all SOA and Mobile projects.

Here’s a high-level request flow :

There are many advantages that OAG can provide :

–   Authentication, Authorization (Leverages existing LDAP like AD ; existing IDM platforms for this – RSA AM, CA Site Minder, Oracle Access Mgr)

–   XML Acceleration, Throttling, Caching, Protocol translation (REST to SOAP and vice versa), Dynamic routing, SLA enforcement

–   Identity Propagation and Credential Mapping , Filter threatening content (XML Bombs, DOS Attacks, Virus)

Oracle OEMs (or Original Equipment Manufacturing) the OAG product from AxWay – AxWay’s gateway product is rebranded for Oracle as OAG, and is almost identical.

Quick Demo : https://www.youtube.com/watch?v=MWunxvZnB1A

Oracle  Datasheet

Flavors of Mobile Security/SSO for Mobile Web Apps, Native/Hybrid Apps, MAM & MDM

I recently came across quite a few customer use cases which require mobile security/Single-Sign-On (SSO). While it may sound generic, there's a lot more to it.

This post intends to provide some clarity around the various security use cases for mobile apps possible & the high level solution approach using Oracle IDM -

1) Security for Mobile Web Applications (Invoked from a mobile browser)

This is no different from invoking a web application on a desktop or a laptop. Would use Oracle Access Manager(OAM) based SSO alongwith OHS+Webgate.

2) Security for Native/Hybrid mobile applications on personal devices 

(Leveraging existing IDM Platform)

This can be achieved using OAM Mobile & Social Services (OAMMS) which has support for Android and iOS platforms. For other platforms (like Windows) OAM Mobile OAuth Services (along with REST calls) within OAM can be leveraged. Mobile applications implemented using REST and supporting OAuth  makes mobile app security technology agnostic (similar to what SAML does to federation).

Image Courtesy : Oracle PM Team Blog

3) Security for Native/Hybrid mobile applications on corporate owned devices 

(MDM or Mobile Device Management)

This feature is currently not available in the Oracle IDM World, but would be available in Oracle Mobile Security Suite (OMSS) in the upcoming 11gR2 PS3 (11.1.2.3).

4) Security for Native/Hybrid mobile applications on personal devices (BYOD concept) 

(MAM or Mobile Application Management)

This can be implemented using OMSS. The concept uses a Secure Mobile Workspace within the personal device which silos all corporate communications using an App Tunnel. The concept is explained in detailed at my blog on OMSS here.

Image Courtesy : Oracle Document

What is Oracle Mobile Application Framework (MAF) ?

 Oracle Mobile Application Framework (MAF) was launched on June 30 , 2014. 

It is Oracle's latest mobile platform to develop hybrid mobile applications(which run on device and are built using web technologies like Java/ADF) and can be deployed to iOS & Android platforms.

It is basically an extension of ADF Mobile with a few additional features -

• Ability to develop using multiple IDE Tools like Eclipse(OEPE*) besides Jdeveloper.
• Additional AMX* components (totally 80 now) to develop mobile applications & provide a rich look & feel.
• Newly suppported ADF DVT* components like Sunburst & Timeline.[Demos]
• Supoort for Apache Cordova Plugins .
• Support for O-Auth & web-SSO for Security.
• Complete integration with Oracle Mobile Security Suite (OMSS) which is a part of Oracle IDM.
• Available Jdeveloper 12.1.3 onwards.
• Migration of existing ADF Mobile Applications is easy , just open application in new Jdeveloper !
• Licensing for Oracle MAF is now seperate ( per user per app or unlimited users per app).
• Higher reusability using Feature Archives (FARs) & custom components.
• Support for HTML5 and Javscript development.

Architecture ( Source : Oracle )

Resources

Announcement

Datasheet

Introduction video & videos for developers (by Grant Ronald)

Demos

Certification Matrix

Glossary
*  DVT - Data Visualization Components (Graphs/Charts etc)
*  OEPE - Oracle Enterprise Pack for Eclipse
*  AMX - ADF Mobile XML

Oracle Identity Mgmt 11gR2 PS2 : New features & Cloud / Mobile Strategy

Source - The live webcast on this topic by Oracle. Here are the updates -

"Oracle IdM R2 PS2 Theme  - Cloud , Mobile , Simplification"

New features in 11gR2 PS2 release  -

1) Cloud Access Portal - a web based application has been added in PS2 release which will enable admins to manage SaaS based cloud applications.

• The login to each application will be using SSO , form-fill technologies & federation capabilities.UI adapts to  various form factors.
• OAM Protects the resources
• When clicked on apps , redirection to logjn page with form fill and auto login.
  
  

2)Session Management features in Oracle Privileged Account Manager (OPAM) - 

OPAM is a whole new set of functionality focused on managing administrative passwords for applications, databases and operating systems.

Session initiation , control & recording have been added in PS2

3) Oracle Mobile Security Suite (OMSS) -

This heavily leverages features and concepts from Oracle's Bitzer acquistion . This is a MAM (Mobile Application Management) solution.

• The onus is on application centric security as opposed to device centric security.
• Introduces a new concept called the Secure Mobile Workspace which containerizes all corporate applications with a single login .
• Builds on the BYOD concept where in employees can use their personal devices / phablets to access corporate apps/data.
• Fine grained policy control using Oracle Mobile Access/Admin Console with new features like geo-fencing , time-bound access to workspace etc.
• Enterprise wide Identity management solution is extended to mobile devices
• Oracle API Gateway (OAG) support for RESTful IdM services.
• DLP Support
• Core apps for Email, Calendar, Contacts, Tasks, Notes.

4) Oracle Mobile Authenticator

• Adds strong authentication features for SSO enabled apps
• Uses changing PIN every 30 seconds for registered apps
• Integration with OAM
• Available on Android and iOS

5) Improved & fully integrated OAuth 2.0 Support for authorization -client , server , 2 legged or 3 legged authorization.

6) Automated IdM Suite install

• 2 hours for single node  , 8 hours for 8 node HA cluster.
• Patching support
• Standard builds
• No additional license needed , feature is supposedly OTB using Wizards and components to be installed can be configured.

General 11gR2 IdM strategy from Oracle

To provide a unified Identity Management platform for Cloud , Enterprise and Mobile Applications.

Useful Links

https://blogs.oracle.com/OracleIDM/entry/major_themes_of_the_idm https://blogs.oracle.com/OracleIDM/entry/what_s_new_in_ps2 OMSS Webcast - http://medianetwork.oracle.com/video/player/3442504861001 Link to this webcast

P.S. Source of images Oracle Webcast , intention only to share the information.

Oracle Mobile Security Suite (OMSS)

Oracle launched OMSS on Feb 26th , 2014 and had a webcast few days back detailing its features. Here are few details - 

Overview -

Oracle Mobile Security Suite (OMSS) addresses the BYOD challenges by isolating corporate from personal data on consumers’ personal mobile devices without

needing to lockdown the entire device.

Oracle’s Mobile Security Container technology protects corporate apps and data and enables a Secure Enterprise Workspace that meets enterprise security

requirements without compromising user experience. It offers the most integrated solution with Windows® authentication and Oracle Access Manager

infrastructure for secure Single Sign-on (SSO) to corporate applications.

The entire solution includes -

1)A BYOD,employee-centric mobile security suite that separates personal apps from secure,“containerized” corporate

,“off-the-shelf” apps and data avoiding device lock-down.Containerized apps are Oracle and/or third -party enterprise

applications accessed by employees through the corporate network(intranet).

2) A consumer - centric mobile and social service that provides a software development kit (SDK) allowing corporate

developers to secure custom enterprise apps for Apple’s iOS and Google’s Android devices, bridging the gap between mobile devices,

social networks, and the enterprise’s backend identity management infrastructure.

Key Identifiers -

1)Comprehensive set of security policies providing strong authentication, encryption and DLP (Data Leak Prevention) controls .

2)Containerization (apps are containerized and only one time login into a container is needed).

2)Secure Enterprise Workspace which houses all the corporate apps.

3)Single Sign-on (SSO) with Integrated Windows Authentication (Kerberos and NTLM) and OAM authentication (Basic Auth and OAuth 2.0) 

4)AppTunnel that eliminates need for mobile VPN and protects from rogue apps.

5)Mobile Security Access Server is located in the DMZ which redirects unauthenticated requests to appropriate Oracle Mobile Security containers.

7)Mobile Security Admin Console for Locking , providing access , remote wipe of corporate container.

8)New and useful features like geo-fencing and time-fencing available in admin console.

9)Leverages the existing IDM Architecture - talks to Directory Services(OID/OUD/AD) , apps can be protected by OAM and/or OIF.

10)Container has OOTB apps like Secure Browser , Catalog , Mail Mgr etc.

11)OMSS can be deployed on Oracle Enterprise Linux or Microsoft Windows.

12)Android 4.x and above including 4.4/KitKat compatibility

13)The Oracle Mobile Security Suite components are distributed across the corporate DMZ and the enterprise intranet (or corporate network)

14)This is a mobile application management (MAM) solution which has various advantages over MDM(Mobile Device Mgmt) solutions like Airwatch

like separate container for coprporate apps , no requirement of device locking , data privacy etc.

Architecture - 

The recently rechristened Oracle MAF is tightly integrated with OMSS.

Useful Links -

OMSS Webcast	OMSS Whitepaper	OMSS Oracle Home Page	OMSS Data Sheet	Oracle Mobile & Social (packaged with OAM)	OMSS Linux Install	OMSS 3.0 new features

P.S. Source of images Oracle Webcast , intention only to share the information.