Oracle Identity Management

A 'Robust' Schema Approach for SCIM

Phil Hunt — Tue, 24 Feb 2015 09:55:00 +0000

Standards Corner: IETF SCIM Working Group Reaches Consensus

Phil Hunt — Tue, 16 Dec 2014 07:41:00 +0000

Automated Policy Synchronization (APS) for OAM Clone Environment

Kiran Thakkar — Tue, 18 Nov 2014 10:56:00 +0000

Introduction

Since the introduction of MDC support in OAM 11g, Customers have been asking for Automated Synchronization between Master and Clone OAM Environments. It is supported in OAM R2PS2. Thanks to the development team! Before R2PS2, It required T2P process to keep all the data centers in synch which is manual process or customer had to write crone jobs to run T2P process at frequent intervals. Please note that T2P process is still supported with R2PS2 if that is the preference for some reason.

Monitoring OAM Environment

Kiran Thakkar — Mon, 10 Nov 2014 13:36:00 +0000

Introduction

Security systems, including OAM, reside in a dynamic environment where the parameters that affect system performance are ever changing. On top of that, access management Infrastructure like OAM serve as the front door or gate to every application/system in an organization. Therefore continuous monitoring of such key components is mandatory to ensure continuous success of not just your access and SSO solution but indeed your very applications themselves. Effective monitoring involves two types of controls; preventive monitoring and detective monitoring. Preventive monitoring makes sure failure does not take place and detective monitoring helps you detect any failure if it occurred and take corrective measures. OAM has features to facilitate both the types of monitoring. We will go over all the monitoring capabilities offered by the product.

OIM Access Policy Harvesting

Daniel Gralewski — Thu, 06 Nov 2014 06:00:00 +0000

OIM R2 PS2 delivers a long time expected functionality: access policy harvesting. This new feature adds more flexibility to OIM access policies usage.

This is another post in the Oracle Identity Manager Academy from the Fusion Security Blog. for the entire post list click here.
Read more »

Implementing a Custom Landing Page in OIM

Pulkit Sharma — Wed, 05 Nov 2014 12:32:00 +0000

Some of our OIM customers have a use-case of implementing a custom landing page. Such a landing page could be used for multiple purposes, for example – to display some static information like guidelines for using the system or dynamic information like system news, new features, releases etc.
OIM 11gR2 PS2 provides a convenient way of implementing this use-case and it is the subject of this post.

Read more »

Part 2: Custom Login and Logout with Detached Credential Collector (DCC)

Tim Melander — Tue, 14 Oct 2014 13:28:00 +0000

INTRODUCTION

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. In Part 1: Getting under the covers of Detached Credential Collector (DCC), I spent time talking about DCC in general and walked through a sequence diagram explaining what is happening with DCC, to try and explain how it works including contrasting it with ECC. So in this blog, Part 2, I want to expand into a more practical angle on the requirements of a totally custom login and logout. Creating a custom login and logout does not require the Perl scripts login.pl or logout.pl, though these are perfectly great options and can also be customized. If you do want to take the route of using the OAM out-of-the-box Perl scripts you can find more information about it and its implementation in the Oracle Developer Guide for OAM 11g (11.1.2) in section 4.4 Developing User the Detached Credential Collector or see Debasish Bhattacharya’s blog article Detached Credential Collector Configuration --- OAM 11gR2. Moving forward, and as promised, I am going to guide you on how to create a totally custom login and logout using DCC without requiring any hardcore developer skills --- I promise.
Read more »

Standards Corner: Preventing Pervasive Monitoring

Phil Hunt — Fri, 30 May 2014 04:30:00 +0000

Draft 05 of IETF SCIM Specifications

Phil Hunt — Mon, 12 May 2014 21:20:00 +0000

Standards Corner: Basic Auth MUST Die!

Phil Hunt — Wed, 09 Apr 2014 08:55:00 +0000

How To Do Single Sign On (SSO) for Web Services

Wed, 11 Dec 2013 14:38:02 +0000

A recent question on our internal list was

"A customer has OAM and wants to do SSO to SOAP Web Services".

In this case the customer was using Webcenter Content (the product formerly known as Unified Content Manager UCM). But the scenario applies to any SOAP Web Service.

My answer was well received and there isn't anything proprietary here so I thought I would share to make it easier for people to find and for me to refer to later.

First - There is no such thing as SSO in web services.

There is only identity propagation.

Meaning that I log in as Fabrizio into OAM, connect to a Web application protected by OAM.

That Web application is a Web Services client and I want to tell the client to tell the Web Services that Fabrizio is using the service.

The first step to set this up is to protect the web services via OWSM.

The second step is to translate the OAM token into a WS-Security token.

There are 3 ways to this second step:

1 - If you are writing manual client and don't want any other product involved - use OAM STS

2 - Use Oracle Service Bus (which most likely will also use OAM STS but should make this a couple of mouse clicks)

3 - Use OAG - which doesn't need to talk to STS. It has a very simple way to convert OAM into WS-Security header.

If you're not using OSB already - I would recommend OAG. It's by far the simplest plus you get the additional benefits of OAG.

PS - You can use OSB and OAG together in many scenarios - I was only saying to avoid OSB here because the service was already exposed and there was no benefit I could see for having OSB. If you have a reason to have OSB - let me know. I only know OSB at a very high level since my area of focus is security.

The Difference Between Access Manager 10g and 11g Webgates

Thu, 29 Aug 2013 16:00:38 +0000

A common question we get is what is the difference between Access Manager 10g and Access Manager 11g webgates.

My colleague Yagnesh who covers webgates put together a simple list:

Here is 11g features:

Oracle Universal Installer for platform. Generic for all platforms
Host-based cookie
Individual WebGate OAMAuthnCookie_ making it more secure
A per agent key, and server key, are used. Agent key is stored in wallet file and Server key is stored in Credential store
One per-agent secret key shared between 11g WebGate and OAM Server One OAM Server key
OAM 11g supports cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Identity Federation for this situation.
Capability to act as a detached credential collector
Webgate Authorization Caching
Diagnostic page to tune parameters
Has separate install and configuration option. Hence, single install and multiple instance configuration is supported.

And 10g:

InstallShield and One installer per platform
Domain-based cookie
ObSSOCookie (one for all 10g Webgates)
Global shared secret stored in the directory server only (not accessible to WebGate)
There is just one global shared secret key per OAM deployment which is used by all the WebGates
OAM 10g provides a proprietary multiple network domain SSO capability that predates Oracle Identity Federation. Complex configuration is required.
One Web server configuration supported per WebGate. Need to have multiple WebGates for multiple instances.

Fresh, Informative and Fun - Join Us For Your Opening Presentation at Open World 2013

Thu, 29 Aug 2013 14:25:10 +0000

Join us on Monday September 23, 2013 for Senior Vice President Amit Jasuja's presentation.

It's called "CON8808 - Oracle Identity Management: Enabling Business Growth in the New Economy".

The title is boring but the presentation will be fresh, informative and fun.

This is our annual presentation to share our thoughts on where the world is going in terms of identity management and letting customers who are leading the way let you know how they are getting there.

And we will deliver this to you in a way that promises to be as entertaining as it is informative.

Click here and schedule yourself for Amit's session before we run out of room

If You Are Interested In OUD - You Need To Be Reading Sylvain Duloutre's Blog

Wed, 02 May 2012 19:38:17 +0000

My colleague Sylvain Duloutre is writing a series of posts about Oracle Unified Directory (OUD) including how to co-habitate and migrate from DSEE to OUD which is how we believe most existing DSEE customers who adopt OUD will make the move.
You can read his blog here.

Announcing Oracle Optimized Solution for Oracle Unified Directory

Fri, 20 Apr 2012 07:03:17 +0000

I'm happy today to be able to share that we released an optimized solution for Oracle Unified Directory. It's one of the first public announcements we can make of several cool & useful things we've been working on. We have more coming from identity & access team. Which reminds me - for my loyal readers here - since December 2011 - besides covering directory - I am also now on the Oracle Access Manager Suite team. My colleague Sylvain post summed it up nicely what it is:

Oracle Optimized Solution for Oracle Unified Directory is a complete solution - Software and Harware engineered to work together. It implements Oracle Unified Directory software on Oracle's SPARC T4 servers to provide highly available and extremely high performance directory services for the entire enterprise infrastructure and applications. The solution is architected, optimized, and tested to deliver simplicity, performance, security, and savings in enterprise environments. More details available at http://www.oracle.com/us/solutions/1571310

While that post is short - it is dense with information. So to explain it simpler - within Oracle we have a team (Optimized Solutions) who work with our product teams to show how our customers can get the best performance out of our hardware when running a specific software package. Instead of just giving you a generic tuning guide for our product - we've gone through the tuning steps and tested the configuration(s) for you. Thus besides giving you great performance - it's faster & simpler deployment because you can reduce the time it takes to run a tuning exercise from scratch. Optimized solutions simplifies that exercise because we've already done most (if not all) of the work for you. Click here to learn more about our Optimized Solution for Oracle Unified Directory.

Live Panel Discussion: Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics

Tue, 22 Nov 2011 15:46:54 +0000

Oracle Security Solutions

Live Panel Discussion: Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics
Featuring experts from Kaiser Permanente, PricewaterhouseCoopers and Oracle

Electronic healthcare initiatives promise consumer empowerment and improved information exchange between providers, healthcare professionals, caregivers, and patients, with the ultimate goal of driving down costs. However, issues around patient privacy and unauthorized access to sensitive medical records (including VIP cases) continue to deter wider adoption of electronic healthcare initiatives.

Hear first-hand from a healthcare organization how metrics-driven identity analytics and closed-loop remediation offer actionable insight that empowers organizations to implement first-class security and compliance programs in health care’s emerging electronic age.

Join us for this complimentary webcast and listen to industry experts discuss:

Key security and regulatory requirements in healthcare establishments
The effective role of identity analytics solution in measuring and managing risk and enforcing regulatory compliance in healthcare organizations
Real world use cases and deployment scenarios

Brought to you by:

Register Now

“Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics”

Tuesday,
November 29, 2011
10:00 a.m. PT / 1:00 p.m. ET

Speakers:

Jason W. Zellmer
Director, Identity and Access Management
Kaiser Permanente Information Security

Rex Thexton
Advisory Services
PricewaterhouseCoopers

Viresh Garg
Director, Product Management
Oracle

Moderator:
Mike Miliard
Managing Editor
Healthcare IT News

Filed under: Compliance, Identity & Access Governance, identity & access management, Oracle Identity Analytics, Oracle Identity Management, Oracle Identity Manager, Role Governance, Webcasts Tagged: Oracle Identity Analytics, Oracle Identity Management

Webcast Recording: Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics

Tue, 15 Nov 2011 21:32:02 +0000

Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics

Watch the webcast recording here!

There is a new awareness of the strategic value and role of information security in the enterprise. One of the key challenges facing CISO’s today is the pressure to demonstrate continuous compliance – across all business organizations for thousands of users with access to hundreds of applications. Metrics driven Identity Analytics, powered by rich risk analytics, is crucial in measuring how well IT supports the business and manages risk.

Hear from an end user the key elements required to satisfy business and audit requirements for user access certifications and identity controls. Learn how Oracle is leveraging its expertise in identity management, data mining, business processing and business intelligence to give enterprises the tools they need to mitigate risk, build transparency, satisfy compliance mandates and support business decisions.

This webcast covers:

Key elements for building a strong identity & access governance program
The advancements in identity and risk analytics offered with Oracle Identity Analytics 11g
An end-user’s perspective on user access certification use cases and implementation best practices

Watch today to hear about industry best practices from Stuart Lincoln, BNP Paribas, and Neil Gandhi, Principal Product Manager, as they talk about the latest advancements in identity analytics and learn how you too can benefit from making sense of technical identity data and transforming it into business-friendly information that is both insightful and actionable.

Filed under: Compliance, IAM, Identity & Access Governance, identity & access management, Identity Administration, Oracle Identity Analytics, Oracle Identity Management, Oracle Identity Manager, Webcasts Tagged: Oracle Identity Analytics, Oracle Identity Management

Webcast: Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics

Fri, 04 Nov 2011 14:52:46 +0000

Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics

Date: Thursday, November 10, 2011
Time: 9:00 AM PST
Register Here.
There is a new awareness of the strategic value and role of information security in the enterprise. One of the key challenges facing CISO’s today is the pressure to demonstrate continuous compliance – across all business organizations for thousands of users with access to hundreds of applications. Metrics driven Identity Analytics, powered by rich risk analytics, is crucial in measuring how well IT supports the business and manages risk.

The webcast will cover:

Key elements for building a strong identity & access governance program
The advancements in identity and risk analytics offered with Oracle Identity Analytics 11g
An end-user’s perspective on user access certification use cases and implementation best practices

Register today for this webcast to hear about industry best practices and the latest advancements in identity analytics and learn how you too can benefit from making sense of technical identity data and transforming it into business-friendly information that is both insightful and actionable. And get your questions answered live by experts Stuart Lincoln, VP, IT P&L Client Services, BNP Paribas and Neil Gandhi, Principal Product Manager, Oracle Identity Management.

Filed under: Identity & Access Governance, identity & access management, Identity Administration, Oracle Identity Analytics, Oracle Identity Management, Oracle Identity Manager, Webcasts Tagged: Oracle Identity Analytics, Oracle Identity Management, Oracle Identity Manager

Do You Need To Reduce Your Audit Exposure?

Wed, 31 Aug 2011 00:39:27 +0000

Today, managers are overwhelmed by the sheer volume of certification reviews and are just certifying users without the appropriate level of attention or analytics. Without proper visibility into user access, managers are unable to perform accurate certification reviews and the result can have negative financial and security consequences. In addition, this results in organizations not being able to sustain a periodic attestation cycle to review user access rights across a wide range of business applications and platforms, thus failing audits. And yes folks, the “Audit Eye” is real! Check it out:

REGISTER NOW
Find out how Oracle can help you keep up with audit requirements.

Filed under: IAM, Identity & Access Governance, Identity Administration, Oracle Identity Analytics, Oracle Identity Management, Oracle Identity Manager, Role Governance, security, Usability Tagged: Audit, Compliance, Identity & Access Governance, Identity & Access Management, Identity Intelligence, Oracle Identity Analytics, Oracle Identity Management

Slapping Funny This One

Wed, 24 Aug 2011 17:48:59 +0000

Funny or not, you tell me.

We have all been there! Too many passwords to remember is a bug we are all suffering from. From my first dog to my first friend in school, my grandmother, my son and everyone in between, they have all made their appearance on my passwords roll. Life was easy (albeit a lot less secure) when you could get away with just putting in the names. Now there needs to be a combination of letters, symbols, numbers and more. And, you have to change it every few weeks. So, with a different password for each of the systems and applications, how many permutation-combinations are you dealing with? And did you know that a single call to the help desk can cost as much as $25 to reset passwords?

Stop the madness. Learn how Oracle can help? Register now for your complimentary guide to single sign-on salvation.

Filed under: Compliance, IAM, Social Media, Usability

Document Theft - IRM as a Last Line of Defense

Tue, 02 Aug 2011 04:54:25 +0000

I haven't had much time to update the blog recently, but just time to post before going on holiday. Over recent weeks there have been numerous stories relating to document theft – the Pentagon commentary on systematic theft of thousands of documents from defense contractors, the reports of journalists hacking into not just phones but the email systems of public and private citizens, the smug announcements by “cyber terrorists” that they’ve stolen files from various organisations.

The relevance of IRM is clear. Protect your perimeter, your applications, your file systems and repositories, of course, but protect your sensitive documents too. In the end, there are so many ways to gain digital possession of documents – but only one way to actually make use of them if they are protected by IRM. Anyone stealing a sealed document by whatever means has another substantial line of defense to overcome.

And that line of defense is designed to audit and authenticate access attempts as well as consider a number of other risk factors. It can also be rapidly reconfigured to deny access completely in the event of calamity – a single rule change can prevent all access from compromised user accounts or for whole classifications of information. The audit trail can also provide valuable clues as to the source of the attack.

In a cloudy world, where perimeters are of diminishing relevance, you need to apply controls to the assets themselves. And the scalable, manageable, intuitive way to achieve that control is Oracle IRM.

IRM Hotfolder update - seal docs automatically

Tue, 14 Jun 2011 08:09:19 +0000

Another update of the IRM Hotfolder tool was announced a few days ago - 3.2.0.

The main enhancement this time is to preserve timestamps, ownership and file system permissions during the automated sealing process. Earlier versions would create sealed files with timestamps reflecting the time of sealing, and ownership attributed to the wrapper utility, etc. This version lets you preserve the properties of the file prior to sealing.

The documentation has also been updated to clarify the permissions needed to use the utility.

For those who aren't familiar with the IRM Hotfolder, it is a simple utility that uses IRM APIs to seal and unseal files automatically by monitoring file system folders, WebDAV folders, SharePoint folders, application output folders, and so on.

Clouds Leak - IRM protects

Sat, 11 Jun 2011 11:46:43 +0000

In a recent report, security professionals reported two leading fears relating to cloud services:

"Exposure of confidential or sensitive information to unauthorised systems or personnel"

"Confidential or sensitive data loss or leakage"

These fears are compounded by the fact that business users frequently sign themselves up to cloud services independently of whatever arrangements are made by corporate IT. Users are making personal choices to use the cloud as a convenient place to store and share files - and they are doing this for business information as well as personal files. In my own role, I was recently invited by a partner to review a sensitive business document using Googledocs. I just checked, and the file is still there weeks after the end of that particular project - because users don't often tidy up after themselves.

So, the cloud gives us new, seductively simple ways to scatter information around, and our choices are governed by convenience rather than compliance. And not all cloud services are equal when it comes to protecting data. Only a few weeks ago, it was reported that one popular service had amended its privacy assurance from "Nobody can see your private files..." to "Other [service] users cannot...", and that administrators were "prohibited" from accessing files - rather than "prevented". This story demonstrates that security pros are right to worry about exposure to unauthorised systems and personnel.

Added to this, the recent Sony incident highlights how lazy we are when picking passwords, and that services do not always protect passwords anything like as well as they should. Reportedly millions of passwords were stored as plain text, and analysis shows that users favoured very simple passwords, and used the same password for multiple services. No great surprise, but worrying to a security professional who knows that users are just as inconsiderate when using the cloud for collaboration.

No wonder then that security professionals put the loss or exposure of sensitive information firmly at the top of their list of concerns. They are faced with a triple-whammy - distribution without control, administration with inadequate safeguards, and authentication with weak password policy. A compliance nightmare.

So why not block users from using such services? Well, you can try, but from the users' perspective convenience out-trumps compliance and where there's a will there's a way. Blocking technologies find it really difficult to cover all the options, and users can be very inventive at bypassing blocks. In any case, users are making these choices because it makes them more productive, so the real goal, arguably, is to find a safe way to let people make these choices rather than maintain the pretence that you can stop them.

The relevance of IRM is clear. Users might adopt such services, but sealed files remain encrypted no matter where they are stored and no matter what mechanism is used to upload and download them. Cloud administrators have no more access to them than if they found them on a lost USB device. Further, a hacker might steal or crack your cloud passwords, but that has no bearing on your IRM service password, which is firmly under the control of corporate policy. And if policy changes such that the users no longer have rights to the files they uploaded, those files become inaccessible to them regardless of location. You can tidy up even if users do not.

Finally, the IRM audit trail can give insights into the locations where files are being stored.

So, IRM provides an effective safety net for your sensitive corporate information - an enabler that mitigates risks that are otherwise really hard to deal with.

Growing Risks: Mobiles, Clouds, and Social Media

Thu, 02 Jun 2011 12:05:30 +0000

The International Information Systems Security Certification Consortium, Inc., (ISC)²®, has just published a report conducted on its behalf by Frost & Sullivan.

The report highlights three growing trends that security professionals are, or should be, worried about - mobile device proliferation, cloud computing, and social media.

Mobile devices are highlighted because survey respondents ranked them second in terms of threat (behind application vulnerabilities). Frost & Sullivan comment that "With so many mobile devices in the enterprise, defending corporate data from leaks either intentionally or via loss or theft of a device is challenging.". Most respondents reported that they have policies and technologies in place, with rights management being reported as part of the technology mix.

Cloud computing was ranked considerably lower by respondents, but Frost & Sullivan highlighted it as a growing concern for which the security professionals consistently cited the need for more training and awareness.

The security professionals also reported that their two most feared cloud-related threats are:

"Exposure of confidential or sensitive information to unauthorised systems or personnel"
"Confidential or sensitive data loss or leakage"

These two concerns were ranked head and shoulders above access controls, cyber attacks, and disruptions to operation, and concerns about compliance audits and forensic reporting.

Rather contrarily, the third trend is highlighted because respondents reported that it is not a major concern. Frost & Sullivan observe that many security professionals appear to be under-estimating the risks of social computing, with 28% of respondents saying that they impose no restrictions at all on the use of social media, and most imposing few restrictions.

So, interesting reading although no great surprises - and reason enough for me to write three pieces on what Oracle IRM brings to the party for each of these three challenging trends.

A comment on mobile device proliferation is already available here.

A comment on cloud adoption is available here

Simple IRM Demonstration

Tue, 31 May 2011 02:31:18 +0000

The demo server has recently been retired after many years of faithful service. Please contact your local Oracle representative if you would like a demo, or see the demos on the Oracle IRM YouTube channel.

Facebook Lists and the Enterprise

Clayton — Thu, 26 Aug 2010 20:38:44 +0000

This article on TechCrunch reminds me of how much I dislike enterprise systems that require you to recreate many of the relationships that are inherent in an organization using constructs that are available and remain unused in many popular consumer social sites.

Tonight at a Facebook Developer's Garage meeting at Facebook's headquarters in Palo Alto, Zuckerberg fielded a question about the service's privacy controls. He said that the ideal solution for sharing different things with different people is to make a friend list. "But guess what? Nobody wants to make lists," Zuckerberg admitted.

Yes, nobody wants to make lists.

The TechCrunch proposal is excellent for Internet-facing applications, as differentiation between "friends" and "followers" is usually a good first cutoff in a relationship. Enterprises have these relationship distinctions too...hence why you're likely to see a broadcast from your CEO, but your CEO probably isn't seeing broadcasts from each individual employee.

In the enterprise, your peers, managers, reports, approvers, and so forth are already grouped in meaningful ways as part of business applications. Since these systems need to be accurate for payroll, promotions, mailing lists, and a number of other processes to work, there is significant incentive for the specific relationships to be accurate.

Contrast this with single-purpose lists used by a single platform that need self-management. Such lists are maintained manually, are not going to be corrected by others if incorrect, and are unlikely to stay meaningful.

We've long said in the directory space that the directory is a place for identity information that has utility in the broadest number of places. Similarly, many of these existing relationships are already modeled in the directory. With virtual directories, even those relationships found in external business systems can be brought into the scope of your applications via a single, simple LDAP request.

I'd like to see mor enterprise applications become more social by simply using the "lists" and relationship granularity that is already defined rather than try to mimic Facebook and other Internet sites that require me to maintain these on my own.

Versatile Authentication - One Layer of (Strong) Authentication

Fri, 05 Feb 2010 09:55:39 +0000

Versatile authentication flexibly integrates a variety of open and proprietary authentication methods into one security layer, and strongly simplifies the implementation of multiple authentication methods in complex environments. In this panel, Dave Kearns will discuss with several authentication vendors about current trends in versatile authentication.
Attend this event

Don Bowen

Clayton — Mon, 02 Nov 2009 21:34:12 +0000

Three men are discussing what they want others to say at their funerals. The first says, "I want people to remember that I was someone who always gave my all." The second says, "I want people to remember that my life was centered around my family." The third says, "I want them to say...HE'S MOVING!"
-- Source Unknown

As many of you may know by now, Don Bowen passed away last weekend after a long battle with brain cancer. He was a truly passionate person in everything he did, completely centered around his family, and had a thirst for life that makes his passing almost a surprise in spite of the dire prognosis for brain cancer survival.

Don and I met in 1998 when he was at Caterpillar and I was a Motorola. Like me, he was spending a lot of time with Netscape Directory Server. He was an early adopter of some of the LDAP Perl modules that I was writing at the time and sure did have plenty of feedback! He was a very compelling guy and knew what needed fixing. He did a similarly thorough job in reviewing the book I was writing at the time.

A year later, I tried convincing him to join IBM, where I had landed after some independent consulting. He declined for a completely Don Bowen reason: "I won't work somewhere that forces me to use Lotus Notes." A principled guy...but you knew that.

We next connected after he joined a startup called TidePoint. This time he was doing the hiring and I accepted. The company didn't last long, but it wasn't from lack of trying. Afterwards, when I started OctetString, I brought Don in for a few months to do some consulting for some of our early customers. He then moved onto bigger and better things at Burton Group and Sun before co-founding UnboundID.

Don will be missed by all that knew him. Like many others, I've learned as much from Don in his battle with cancer as I did in working together with him in this industry. Don's blog (Wizard of IdM) details his journey with cancer while showcasing his strong faith and positive outlook on life.

My thoughts are with his beautiful family. He leaves behind his wife Eileen and four wonderful daughters. If you've been touched by Don, you may want to consider visiting the website for his family's trust.

Consumer behavior between social media and paid search!

Sat, 10 Oct 2009 21:01:38 +0000

Marketing companies need to figure out how to allocate budgets between social media and paid search on the internet as consumers exposed to a brand's influenced social media and paid search programs are 2.8 times more likely to search for that brand's products compared to users who only saw paid search.

The State of Affairs with Application Security for Department of Homeland Security/SRI ITTC

Sat, 10 Oct 2009 09:07:31 +0000

Panelist on Dept. of Homeland Security and Stanford Research Institute (Infosec Technology Transition Council)
Thursday, October 15, 2009 1:30 pm - 7:30 pm (Pacific Time)
Registrations

Security As A Service

Tue, 01 Sep 2009 13:56:11 +0000

This blog introduces "Security As A Service".

Oracle Fusion Middleware is highly predicated on service-oriented architecture (SOA) environments. SOA provides many benefits including the ability to build composite applications based on service (or component) reuse, as well as flexible and dynamic connectivity among services.

Oracle Identity Management, as part of Oracle Fusion Middleware, provides many services that can be shared and reused across the enterprise. For example, Oracle Directory Services are the basic building blocks for user and resource information. Likewise, Oracle Identity Management is designed to provide identity management and access control services deployed outside applications, thus clearly separating security from business logic, the most efficient weapon against application "silos."

With Oracle Identity Management 11gR1, Oracle extends its identity-as-a-service approach to the developer community. From now on, in-house developers, third-party application providers, and integrators can benefit from the same security services that Oracle Fusion Middleware components relie on. For example, in a typical scenario, a developer at Company XYZ designs an application from the ground up using Oracle JDeveloper and Oracle's Application Development Framework (ADF). After deployment, Company XYZ realizes that in order to support a very large number of users, the application needs to communicate with enterprise-strength identity services such as those provided by Oracle Identity Management. In this case, the application can easily "switch" from the original ADF-based security to full-fledged Oracle Identity Management services such as Oracle Access Manager or Oracle Entitlements Manager without any change to either the application itself or the security services originally used by the developer.

Oracle Identity Management 11gR1 provides security services in the form of an enterprise-wide framework known as Oracle Platform Security Services or OPSS for short.

OPSS is a self-contained, portable set of security services that run on Oracle WebLogic Server. OPSS provides an abstraction layer that insulates developers from security and identity management implementation details. At development time, OPSS services can be directly invoked from the development environment (Oracle JDeveloper) through wizards. When the application is deployed to the runtime environment, systems and security administrators can access OPSS services for configuration purposes through Oracle Enterprise Manager Fusion Middleware Control or command line tools.

OPSS security services comply with the following industry standards: role-based-access-control (RBAC); Java Platform, Enterprise Edition (Java EE), Java Authorization and Authentication Services (JAAS), and Java Authorization Contract for Containers (JACC). With OPSS, developers don't need to know the nitty-gritty of cryptographic key management or interfaces with user repositories and other identity management infrastructures.

The OPSS framework includes services that are consumed by Oracle WebLogic Server's Security Services Provider Interface (SSPI). In addition, OPSS includes Java Platform Security (JPS), Oracle Fusion Middleware's security framework.

SSPI provides Java EE container security in permission-based (JACC) mode and in resource-based (non-JACC) mode. It also provides resource-based authorization for the environment, thus allowing customers to choose their security model. SSPI is a set of APIs designed to implement pluggable security providers in order to support multiple types of security services, such as custom authentication or a particular role mapping.

JPS, on the other hand, was first released with Oracle Application Server 9.0.4 as a JAAS-compatible authentication and authorization service working with XML-based and Oracle Internet Directory providers. In Oracle Identity Management 11gR1, JPS has been expanded to include the following services: Credential Store Framework (a set of APIs that applications can use to create, read, update, and manage credentials securely), User and Role API (designed to access identity information in a uniform and portable manner), Oracle Fusion Middleware Audit Framework (used by all the components part of Oracle Fusion Middleware), and JDeveloper/ADF integration (application security life cycle support, from development to staging to full-fledged production).

OPSS also includes Oracle Security Developer Tools (OSDT), a set of Java-based cryptographic libraries supporting XML signature, XML encryption, XML Key Management Specification (XKMS), Security Assertion Markup Language (SAML), WS-Security, and other non-XML standards such as Secure / Multipurpose Internet Mail Extensions (S/MIME) and Online Certificate Status Protocol (OCSP). OSDT is used in many Oracle products including Oracle applications and Oracle Fusion Middleware components. OPSS leverages OSDT for SSL configuration and Oracle Wallet (used by Oracle Identity Management products, Oracle Enterprise Manager, and Oracle Database).

OPSS is an all-encompassing framework that provides out-of-the-box support for (1) applications using WebLogic Server's internal security and SSPI, such as Oracle Entitlements Server and Oracle Access Manager, and (2) applications using JPS, such as Oracle ADF, Oracle WebCenter, Oracle SOA Suite, and Oracle Web Services Manager.

Developers can use OPSS APIs to build security features for all types of applications and integrate them with other security artifacts, such as LDAP servers, database systems, and custom security components.

Administrators can use OPSS to deploy large enterprise applications with a small, uniform set of tools and administer all security in them. OPSS simplifies the maintenance of application security because it allows the modification of security configuration without changing the application code.

Role of Identity Management in Public vs. Private Cloud Computing

Wed, 24 Jun 2009 16:38:00 +0000

A traditional cloud-based environment offers a quick and cost-effective access to technology. Using browser to access technology brings agility to enterprises and improved satisfaction to end users, while lowering overall costs. By outsourcing technology to a service provider, including the infrastructure itself, business clients can realize valuable ROI.

Cloud Providers and Security Risk

However, by letting go of the infrastructure, managing security risk becomes an important task requiring a joint effort between the client and cloud provider. To help mitigate such risk, use of identity and access management solutions by cloud providers are a must.

Who is the user and what can a user do in a cloud environment must be monitored and also enforced diligently. A public cloud that offers on-demand services to a wide population of users must take relevant compliance mandates with utmost responsibility to ensure access control will not be compromised - or risk loss of business due to bad publicity and loss of trust.

Furthermore, public cloud providers have significant responsibility to ensure their multi-tenant platforms don't inadvertently expose customer data as a result of social engineering attacks or programming mistakes.

Identity Management to Help Manage Risk

Thus identity management technologies such as authentication, authorization, user management, compliance, and others are paramount:

Users must be strongly authenticated to validate their identity
Up to date access rights must be checked against cloud application's access control policies
All user interactions must be logged to ensure non-repudiation
User accounts must be de-provisioned in a timely manner
Dormant accounts must be identified and removed quickly
Access permissions must be certified on a continuous basis

Back to Security Silos

Let’s take a look at another dimension – public vs. private clouds. With a public cloud, the responsibility for application security in terms of identity management and data protection rests primarily with the cloud provider. Business clients of public clouds typically have less control over application security and must trust the cloud provider to have accounted for sufficient security measures.

To improve security and user satisfaction somewhat, some public cloud providers offer identity management features such as SSO (Single Sign-On) and limited user provisioning, however, the majority of security and identity controls is with the public cloud provider.

As a result, many mid to large enterprises consider the lack of integrated identity management a step back, since the public cloud provider represents a silo of identities, security policies and processes. In the end, the client finds a reasonable balance between the value of the cloud-based service, its cost, and the underlying risk.

Identity Management for Private Clouds

In those cases where security risks are too high business clients can turn to private cloud providers. Unlike a public cloud, a private cloud is an extension of the enterprise protected by a firewall. Such clouds can and should be integrated with client's identity management systems for SSO, user authentication, authorization, audit, provisioning, role management, and compliance.

Furthermore, private clouds offer dedicated storage or virtualized layering for data isolation and application partitioning - reducing the risk of data breach. Unlike a public cloud that is not expected (yet) to offer tight integration with enterprise identity management systems and/or data, private clouds will be expected to offer such capabilities. Thus private cloud providers must ensure they offer a robust set of identity management tools that clients can:

Rely on for managing access to the cloud environment
Integrate with enterprise identity and access systems
Potentially use to manage security and identity in enterprise applications

To manage risk well, the typical "security and identity silo" present in public clouds must be eliminated in private clouds. This means private cloud providers must ensure seamless integration with client's infrastructure and information, including identity management. This places a burden on private cloud providers to offer standards-based, heterogeneous security- and identity-related services that span a broad range of enterprise systems and can be integrated with enterprise processes.

Benefits of Identity Management in Private vs. Public Clouds

The following table compares Identity Management benefits associated with public and private clouds.

Public Cloud

Implementation best practices (example: provisioning/business use cases, etc.) gained over other customers can be reused in a cost effective manner during similar deployments for a new deployment
Security and SLA are at higher risks due to public exposure and a complex shared environment (network complexity)
ROI - cost effective in the short term

Private Cloud

Implementation expertise (example: development/technical) gained within the enterprise reduces further integration (wider and broader) costs & time
Shared Services architecture can be easily reused across the enterprise to easily drive other business requirements
Compliance and regulation requirements may be easily monitored/enforced within the company
ROI - cost effective over the long term

Identity Management from Oracle

Given that such functionality is quite difficult to achieve on their own, private cloud providers can partner with Oracle for such capabilities as:

Strong user authentication, Web Single Sign On, and Identity Federation for access control needs
User provisioning, role management, and identity attestation for user lifecycle management
LDAP directory and virtual directory for identity repositories
Database security and OS security for locking down access to critical operating environments

Oracle provides a complete range of standards-based identity management capabilities across a wide range of enterprise systems. Both public and private cloud providers leveraging Fusion Middleware 11g will benefit from the built-in and fully integrated Identity Management to secure their clouds and integrate with client's infrastructure.

Finally, private cloud providers have a unique ability to offer Oracle’s comprehensive Identity Management services as a private Identity Management cloud - to both new and existing clients.

NFC (Near Field Communications) – Was this near sighted?

Mon, 01 Jun 2009 17:41:13 +0000

NFC enables any two devices to connect and exchange information or access content and services simply by bringing them together over a distance of a few centimeters.

The acronym NFC stands for Near Field Communication. It’s a two-way communication technology based on RFID, but it is sometimes called “contactless” technology. The acronym RFID stands for Radio-Frequency IDentification. The technology has its origins in the microchips that have been used to tag both wild animals and household pets. Since this use, RFID has been used in many more industries, including animal husbandry and supply chain management. Items tagged with an RFID chip might also contain information about the object, what it is supposed to be, where it came from, where it’s going, etc. - especially in supply chain management.

There are also other applications of RFID that some people feel are more sinister, but which some governments insist are a necessity. These include “smart” passports and a variety of other digital identification cards that use RFID chips. Some people have even gone so far as to have RFID chips inserted into their bodies. RFID usage is spreading rapidly, and will affect the way we do business and pay for things or collect information.

NFC technology on the other hand is being used in a wide array of applications including “fast-lane” payment at gas stations and supermarkets, for transit payments, and more. The mobile phone industry including governments (cities like Oulu, Finland) have also moved forward in delivering services such as credit-card payments, Mobile Time Reporting, Smart Parking , Smart Theater for tickets with smart posters for information distribution, Information Tags in Restaurants for payment and ordering using hand-held devices, enabling Buses and Bus Stops with information and tickets, etc. This technology is already being used for services such as mobile ticketing and used to replace plastic credit and debit cards in consumers' pockets around the world.

It seems like there is good momentum and everyone is moving quickly to capitalize on the opportunity but on the other hand there has been fierce debates in the industry in the past about the security model including how to securely authenticate over the air and also where to locate the "secure element," or system for storing private data, in phones equipped with NFC (near field communications) technology.

So does NFC based solutions pose a huge fraud risk?
NFC used for phone payments represent an opportunity for sophisticated criminals to steal a lot of money as this space is fraudsters' biggest opportunity for the future, largely because many people still see their phone as a communication device, rather than something that they have to keep secure. In fact, hackers can break easily into NFC phones. Even if that's true, however, it doesn't mean NFC phones pose the greatest future threat to the security of consumers' financial details. Thieves could still steal small amounts of money often to reap huge sums.

It has been proven that using inexpensive off-the-shelf components, hackers can develop a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation Drivers licenses. Ethical hacker Chris Paget demonstrates ( http://www.net-security.org/secworld.php?id=6997 ) a low-cost mobile device that surreptitiously reads and clones RFID tags embedded in United States passport cards and enhanced drivers' licenses. The proof-of-concept device operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. Here is another example http://www.youtube.com/watch?v=hXSt_O3Mt20

The security of the Radio-Frequency Identification (RFID) tag, and its ability to resist malware, has also been questioned. At a hardware level, a RFID tag normally consists of a receiver and transmitter and a micro-controller that facilitates the exchange. However the micro-controller is not powerful enough to employ sophisticated means of a robust real-time encryption and is susceptible to attack. Normally, information stored on the tag has to be authenticated to prevent counterfeiting but tags are thought of most often as a disposable device the cost of manufacturing is kept low. Most of the time a RFID reader is connected to some sort of database software to process data received from the tag. Once the tag is compromised it further opens possibilities for various scenarios of security breaches.

How likely it is for a remote or wireless device to catch an ‘airborne' virus if it was in contact with an infected laptop or a PDA?
Potentially, if a virus broadcasts itself utilizing a wireless data transfer protocol and another system accepts this transmission and transfers control to the received data, then we may have a case of an ‘airborne' infection. The most plausible case scenario might include a virus that utilizes vulnerabilities in the driver of a wireless device or a service related to the communication protocols.

The industry is already responding to potential fraudulent transactions. One protection is the Card Verification Value code (CVV, also known as CVC). Each credit-card number is associated with a three- or four-digit code, located on the back of the physical card. It's static on all mag-strip cards, but it's dynamic on an NFC phone. So if a legitimate NFC phone is used, a new CVV is assigned. If a bogus phone is then used, it will have the wrong CVV and the transaction won't go through. If no CVV/CVC like features are available then fingerprinting the device using an intelligent One Time Code can help achieve this functionality.

Financial institutions and Credit-card companies have software that analyzes transactions in real time in an effort to detect and hopefully prevent fraud. When an unusual activity occurs, a block is put on the account or card until the cardholder can be contacted. The same is true of phones used to make credit-card payments. Compare that to a mag-strip card. You would pay your dinner bill with a credit card, and the waiter would clone your card. The waiter's friends would use the card to make several purchases during the next three weeks, and you wouldn't learn about the fraudulent charges until you got your monthly statement.

Another option which banks use to deter fraudsters is by using an ‘Out of Band Authentication’ message like a digital receipt using SMS. Here's how it would work: If someone somehow were to hijack your account and wire money you would receive an SMS with the details on the transaction or a confirmation message in the hope that you could immediately call the bank and inform them about the problem. This allows the bank to cancel the transaction or put the transaction on hold. Similarly if a fraudster clones your NFC phone's payment capability and purchase a handbag or pack of cigarettes, you would receive a text message on your phone—a receipt, stating the item, time of purchase, price and retailer. You could then immediately call your credit card company and inform them of the problem.

Unfortunately, this reactive approach will not help prevent fraud in real time but certainly deters fraudsters. The more sophisticated and fool-proof way would be for the provider to force you to interact as part of the transaction by allowing the end user to confirm/deny the specific transaction in real time.

Over the Air (OTA) method of transferring data to a mobile device for personalization and security applets is another security measure. If a hacker finds a way to break into the secure sector of an NFC chip, you'd have to replace the NFC chip. With OTA, if there is a breach, you could just send out a security patch to the phone and dynamically fix the security issue.

No security model or solution can effectively solve this problem and the closest one can come to protecting the end users and reduce fraud is by simply assuming this risk or by utilizing solutions like real-time fraud prevention for highly sensitive transactions. This is analogous to what financial institutions and credit-card companies often deploy to protect consumers from fraudulent use of their cards. So articles like this one including security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point. Either you accept this technology and let the provider bear the costs because when a fake transaction occurs, it is voided and the merchant is often the party that takes the hit; or personally restrict it for transactions that are financially low in amounts.

Hail and well met!

Thu, 19 Mar 2009 11:20:43 +0000

Welcome to my new 'blog. Starting as soon as I'm able, I'll be posting and, hopefully, fostering discussion on identity federation and related topics.

Bonjour!

Thu, 12 Mar 2009 15:19:38 +0000

Welcome to my new blog.

My name is Marc Chanliau. I am currently responsible, from a product management perspective, for security infrastructure in Oracle's Identity Management division.

In this blog, I will publish regular entries discussing topics that encompass a vast range of security domains related to identity management.

Please feel free to share your comments on any subject of discussion.

Cheers,

Marc

iPhones and Enterprise Identity Management

Clayton — Wed, 04 Feb 2009 16:12:55 +0000

this blog posting, I spent some spare time putting together a native application for the iPhone that connects to some of Oracle's internal people and social networking sites.

So far it's been pretty popular. This isn't a surprise. Enterprises have always found that white pages applications are their top internal destination on intranets, so why should it be surprising that mobile applications that can access this information would be a top draw for employees.

Many people didn't initially see the link between what I was doing and enterprise identity management. After all, social networking and white pages look like an application, neither of which tend to be associated with Identity Management and the security-focused spin that has been placed on it recently.

I actually wrote the application in part to make it very clear that the Identity Management industry as a purely compliance and security segment is touching on only a very small part of the overall value of identity management. This is, of course, something Oracle has been saying all along with our messaging related to Application Centric Identity.

To make this simpler to understand, let's look at what you need to recreate the iPhone application I wrote:

iPhone SDK - Or just write a Web App
Web SSO - the client needs to authenticate, right?
Directory - these users belong somewhere...
HR System - need strong self-service and integration with the rest of the platform
Provisioning - you're not making users sign up for their own accounts, right? Also handles private groups and other key enterprise memberships out-of-the-box.

And optionally:

Role Management/Mining - Wouldn't it be great if you could seed some of the initial relationships by mining for existing relationships?
Virtual Directory - Did all of this information come from the same place? Your phone's bandwidth is low and latency is high, so you'll want to avoid multiple requests.

With the exception of the client SDK itself, all of this technology is available from Oracle. In fact, large chunks of this technology are probably already in place and ready to use as the basis for your own applications.

Just as importantly, aside from the security provided by Web SSO, almost every component above is really focused on the enablement of the application, rather than just the security of that application. If you think about it, this is what identity management has always been about...

Identity Management is not about denying access, it's about enabling access and sharing identity so that people can take advantage of the collaborative capabilities offered by today's networks and applications.

If you want to understand how mobile technology can take advantage of your enterprise identity infrastructure, let's talk further.

Move aside e-mail phishing, in-session phishing is in!

Sat, 17 Jan 2009 21:59:44 +0000

A bug found in all major browsers could make it easier for criminals to steal online banking credentials using a new type of attack called ‘in-session phishing’, say security researchers making e-mail phishing so passé'. Now criminals are using craftier attacks, including phishing online banking sessions through your browser while you're in session with your real online banking account, asking for details such as passwords and account numbers bypassing the heavily relied on protection provided by anti-spam, anti-virus & firewall protection solutions available today.

By studying the way browsers use JavaScript, fraudsters have found a way to identify whether or not someone is logged into a Web site, provided they use a certain JavaScript function, thereby giving the bad guys a solution to the biggest problem facing phishers these days: how to reach new victims. In a traditional phishing attack, the scammers send out millions of phony e-mail messages disguised to look like they come from legitimate companies, such as banks or online payment companies. Those messages are often blocked by spam-filtering software, which fortunately has gotten quite good at catching and eliminating many email-based phishing attacks. Traditionally, these emails disguise themselves so that they appear to be from a legitimate source, and trick the recipient into providing login details or account numbers but with in-session phishing, the e-mail message is taken out of the equation, replaced by a pop-up browser window. The fact that the end user is currently in-session lends a lot of credibility to the phishing message.

Here's how an attack would work: It works by fraudsters attacking a legitimate web site and implanting code on it that generates an illegitimate pop-up when visitors go to the legitimate site. Using a JavaScript function, the attacker can determine whether or not users are logged into one of several banking web sites based on pre-defined logic, and then if they are logged in, then the illegitimate pop-up would appear. Of course, like in an email phish, the pop-up is made to appear as though it comes from the legitimate source. The pop-up asks for identity information, which is then used, for example, to drain a bank account or steal sensitive corporate data. Based on the technique used, this attack technique is somewhat sophisticated as it requires that a base Web site is compromised and then the attacker must know which Web site the victim user is currently logged into. Once implemented successfully, 'in-session phishing' can be highly effective because the average end user is likely to enter credentials without a second thought in spite of secure authentication solutions in place including hard & soft tokens.

Researchers have found vulnerability in the JavaScript engine of all leading browsers including Internet Explorer, Firefox, Safari and Chrome, which allows a Web site to check whether a user is currently logged onto another website. The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

As everyone knows those bad guys that are engaged in the phishing business are always trying to stay one step ahead of typical authentication schemes including out of band OTP & SMS, and like any good get-rich-quick criminals, will always have half a dozen new scams up their sleeves. But for these criminals, the hard part would be convincing victims that this pop-up notice is legitimate and this is where the new generation anti-phishing solutions like personalized interfaces or pads (like secure TextPad, PinPad, KeyPad, QuestionPad, Quizpad, etc.) that are unique to each end user can go a long way in incrementally deterring the fraudsters. Any end user logging into the site or entering OTP or transaction data or even answering challenge questions would do so using a personalized pad. Therefore, when the attacker prompts for the credentials in the popup window, they will not be requested through use of the pad as the hacker doesn’t have access to this. Therefore, the user would see this and (assuming they have been educated correctly) would not enter their credentials into this popup box despite the fact that it appears to come from the valid site.

Result: In-session phishing attack incrementally deterred!!

Other recommendations from security experts include users deploying turning off pop-ups in their browsers using browser security options; always logging out of banking and other sensitive online applications and accounts before navigating to other websites; being extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.

Pitfalls in Moving from Services to Software

Clayton — Wed, 01 Oct 2008 13:03:24 +0000

Got a lot of positive feedback on my post from yesterday about some lessons learned while growing OctetString, so will write a few more articles along these lines...

Given that consulting billing rates and hours go down in tough times, many consultants will undoubtedly decide to build businesses to "product-ize" some of their solutions.

This is completely possible -- our own Oracle Virtual Directory started out that way, as mentioned yesterday. Some of our best partners were started this way as well.

However, there are a number of common traps that consultants fall into when they enter the software business.

1. Repeatability, not complexity...

Repeatability in software gives you the ability to scale your customer base.

Consultants often work in the role of car mechanic -- look under the hood, find scary problems, suggest some solutions that will require parts and labor, and finally plan and implement that solution. Each customer has a new problem requiring different parts, plans, and execution.

Software is a very different business. You're looking for as much commonality as possible between customers so that what is delivered can be repeated at other customers with the minimum possible effort.

This doesn't mean that you can't solve complex problems or require services to implement. It simply means that the product-ized part of your product shouldn't be different for every customer.

It also goes without saying that building your software on standards-based middleware will help reduce the amount of post-sales time spent doing customized integration with each customer.

2. Don't design around one big customer...

Even companies that don't originate from consultants tend to fall into this trap a lot, but consultants do it almost every time because they tend to be solving a problem that they encountered at a particular customer.

It is wonderful finally finding a customer or prospect who will spend a significant time helping you understand their requirements. You should certainly listen to them -- they are the customer, eh?

The trick is to use that customer to validate your approach rather than try to solve every esoteric problem that the customer might have through your software.

You might consider providing extension points, allow for customer designed templates, and so forth to accommodate their needs without building less repeatable stuff into the product. You'll also want to consider that your product may not be the right place to solve a particular issue.

3. Consulting isn't Software Sales

Many consultants have great people skills. They can help customers understand complex technology as it relates to the customer's own environment. Customers often base decisions about technology purchases in-part on recommendations from expert consultants.

However, this doesn't always (or even often) translate into being able to actually sell software. Not that you can't learn to do so, but the process of selling is very different from the process of pitching a solution as a consultant.

As a consultant, you have high credibility in part due to your independence. As a vendor, that credibility is diluted to some degree, even when you're still trying to help the customer do the right thing to solve their problems.

The overall process goes far beyond what you say and how credible you are with a customer. You're going to need to educate yourself and bring in the right people to help you be successful.

What happens when you don't know what you're doing?

A (now) funny story from our very first sales call (with Fannie Mae, oddly enough) back in early 2001 before we hired our first sales person or took the time to better understand the sales process:

I was on the phone with the customer while another person from the company was acting as the "account manager". Nobody is in the same room. The customer's first question: "What does this solution cost?" Oops! We hadn't priced it yet and hadn't discussed how we would handle this question. After an uncomfortable silence, the customer's question was answered (after a flurry of background instant messaging).

Thankfully we got better at this with time, brought in people that had experience selling enterprise software, and things worked out well.

I should also point out that the very first customer we did end up selling to was BEA Systems. This is why a portion of Oracle Virtual Directory's original 1.0 release is actually embedded in every copy of WebLogic 7.0 and above.

Start-ups in a Down Market? Absolutely...

Clayton — Tue, 30 Sep 2008 14:33:05 +0000

Many of you know that I came to Oracle through the acquisition of OctetString. You may not realize that I co-founded OctetString in early 2001, which was during the last downturn. In fact, we were negotiating our first software sale when the 9/11 terrorist attacks occurred.

So I read with great interest Jason Calacanis's email (and blog post) discussing how startups can better survive an economic downturn. Given that he too started his last company (WebLogs, acquired by AOL--think Engadget) during the last downturn, he's got very solid advice. I don't agree with a few specific items (never had a reason to test dedication with Sunday morning meetings), but overall a great read.

I thought I'd share a bit of advice and a few tales from that same period of time, but in the enterprise software space.

When we first started OctetString and created what is now the Oracle Virtual Directory, we had a number of pre-baked customers that were lined up to buy our software. Unfortunately, most of these were telco customers and by mid-2001 our phone calls weren't simply finding people who had been pink-slipped, but entire divisions that had been abandoned and certainly weren't going to be buying software from us anytime soon.

What kept things going was pretty simple:

1. Keep costs low -- especially recurring

While all expenses should be reviewed, you're going to want to pay particular attention to things that are recurring, including people, rent, etc...

When we needed hardware, I just made a trip to the local liquidator. HP-UX server: $800. Solaris box: $995. A bit like going to a junk yard and not as glamorous as handing over a check to your local rep, but it works.

Until almost 2003 we didn't even have an office, and even then I just used a Regus facility in order to share some common services with other companies (and not worry about anything related to maintaining the office itself). Not to mention the lease was relatively short-term (and I loved their coffee machine).

2. Retain an insanely dedicated core group

Jason makes this point and mentions seeing who shows up for a Sunday morning meeting or such to see who's dedicated. I think you'll know who the right people are even without having to test them.

These people won't care about fancy offices or silly perks. My first sales guy closed a critical deal with Pfizer in the United economy class line at O'Hare Airport on the way to Germany. Another critical deal with Coca-cola was closed in a phone booth at University of Illinois while a kid was breaking up with his girlfriend in the next booth (it's not you, it's me). Not having an office or business class for international trips didn't seem to stand in the way of his performance.

Others were equally (and probably more) dedicated. In the earlier dry times it wasn't uncommon to be deferring paychecks.

3. Make something people actually NEED -- particularly during bad times

When we started the company, we noticed that most enterprises were still doing multi-year projects to consolidate and synchronize all of their user repositories with a technology called "meta-directory".

The underlying need was to get all user information into a single place for portals, ERP, HCM, CRM, and related business applications. These are big, important applications and every one of them needs information about usernames, passwords, roles, department numbers, reporting hierarchy, and so-forth to function.

This may seem trivial, and today using software like Oracle Identity Management it's a lot easier, but at the time it was a black art requiring lots of consultants, lots of software, and Big Dig style project timelines (and success rates, unfortunately).

We simply shrank many of these projects from years to days and the results couldn't be ignored.

One particular customer implementing a CRM solution with a lot of consultants estimated that they saved something like $10m in consulting over-runs alone.

You have to be having a huge impact that can't be ignored simply because you're not the right vendor. This is especially true when times are tight and customers become more conservative. Customers know that a lot of smaller vendors won't make it and don't want to be stuck with abandonware.

Looking forward to comments. Thinking to do a few more posts on this topic if there's any demand.