1

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Securely Enabling Mobile
Access for Business
Transformation
Lee Howarth
Oracle Product Management
Safe Harbor Statement
The following is intended to outline our general product
direction. It is intended for information p...
Program Agenda
 Introduction to Mobile Security
 Oracle’s Mobile Security Technology

 Planning for Secure Mobile Acces...
Mobile Market Trends - Security is essential
Companies exposing more APIs and services on
the Internet to support mobile a...
Mobile Security - Challenges on IT
 IT has to manage the typical

Control

Access

struggle between access and
control

...
Why is mobile causing IT more headaches?
 Mobile access complicates information and application

architecture discussions...
Web, Hybrid and Native apps – What does it all
mean?
full
capability
 Web
– Limited device interaction – app

typically w...
Mobile Security Terms – Variety of technology
Many of the security terms you have heard focus
on device security (MDM)
MDM...
What’s need in a Mobile Access Management
solution
API Security

 Bridges the gap between mobile

devices and IAM control...
Oracle Access Management
Mobile & Social

Mobile
Security

11

Copyright © 2012, Oracle and/or its affiliates. All rights ...
Configurable Access Management Service
 Mobile Security Platform
– Authentication and SSO
– Strong Authentication, Device...
Mobile Security Architecture
Mobile Device

DMZ

Mobile Interfaces

IDM Infrastructure

Access Management

Oracle
SDK

Aut...
Complete Mobile Security
 Requires interface and data flow control policies
– RESTful interfaces are the standard method ...
Secure
REST API’s

Threat
Protection

Client
Throttling

API Control &
Governance

Transformation

API Management
& Monito...
Comprehensive Mobile Security
Corporate DMZ

Corporate Network

Web Traffic

Webgate /
OHS

OAM Protected Resource

Mobile...
Planning for Secure Mobile Applications
 Understand the requirement – its more than just technology
– Involve all relevan...
Customer Case Studies

18

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Turkey Ministry of Education
Abdullah Togay
Deputy General Manager- CTO, Ministry of National Education
 Overview of syst...
Verizon Wireless
Mobile & Social SSO
Anup Thomas
Associate Director - eCommerce, Self Serve, and Products IT
September, 20...
Verizon Wireless - Overview of Business

Customer Experience – World-Class Network, Stores, Customer Service

Omni Channel...
Shift in Channel Affinity Towards Mobile

Account Management

eCommerce

Usage
Controls

Forums

Backup
Assistant
Plus

Ac...
Mobile & Social – Planning Approach
STEPS

GOALS

MEASURE – Web & Mobile Analytics

•Clear Metrics on current app-app / ap...
Potential Integrated Architecture
Mobile Device

Web

Native App
Oracle
SDK

Social Log In

App

REST Calls

Personal
Phra...
Potential Future States

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only...
Don’t miss these IDM Sessions
CON8817

Tuesday 09/24,
5:15PM

Moscone West,
Room 2018

API Management: Enable Your Infrast...
Oracle Fusion Middleware
Business Innovation Platform for the Enterprise and Cloud
 Complete and Integrated
Web

Social

...
28

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
29

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Upcoming SlideShare
Loading in …5
×

Con8896 securely enabling mobile access for business transformation - final

1,160 views

Published on

Lee Howarth's OOW2013 presentation

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,160
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Oracle Access Manager for Mobile and Social OverviewConnects mobile users to identity services using REST interfacesOrganizations can bridge the security gap between the enterprise and mobile devices. With RESTful identity services, rich mobile applications can access stateless identity functions from mobile devices which are limited by processing capacity and battery power. Organizations can maketheir backend services and data available in a secure manner by simply exposing these through virtual REST API’s in the DMZ. Messages, security tokens, and protocols are automatically translated between formats appropriate for mobile devices and the source system. REST API’s can mash up information from multiple sources and be protected from a wide variety of attacks (denial of service, sql injection, content retrieval attacks, etcetc), usage can be monitored, and all your Oracle Access Management technologies can be leveraged for further protection. Delivers SSO and Authorization for native mobile applications Traditional mobile security solutions like VPN tunnels are limited in that they cannot overcome the problem of SSO for native mobile apps. OAM-M&S simplifies SSO across rich mobile apps and browser applications. This reduces the number of logins required for enterprise applications from the native mobile screen. Authorization can control what transactions end users are able to perform from a device and under what conditions. Perhaps only transactions below a given amount are allowed from a mobile device. An organizations REST API’s require authorization, what data is accessible to a given user must be controlled and monitored. A users location and device state may need to be taken into account. Enables sign on from 3rd party and Social identities to Enterprise resourcesWith the proliferation of social networking sites, there is a need for relying parties to consume identities from internet identity providers like Facebook, Twitter, LinkedIn, Google and Yahoo. Many of these providers support user centric federation standards like OpenID and Oauth. OAM-M&S enables organizations to accept internet identities for signing on users to low value applications like blogs, communities, etc. This in turn can provide a seamless user experience for users without the burden of additional logins.Single Sign-On covers web applications, native mobile applications, and also the RESTful API’s and web services accessed from the device.Supports industry standards (OpenID, OAuth)Oracle IDM supports OpenID and Oauth. So with Oracle Identity Management we are making it easier for relying parties to accept identities from internet identity providers like Facebook, Twitter, LinkedIn, Google and Yahoo.  
  • Mobile Security – web and mobile appDevice registration and fingerprintLost & stolen device securityGPS/WIFI based location awareness
  • With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.
  • Con8896 securely enabling mobile access for business transformation - final

    1. 1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    2. 2. Securely Enabling Mobile Access for Business Transformation Lee Howarth Oracle Product Management
    3. 3. Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    4. 4. Program Agenda  Introduction to Mobile Security  Oracle’s Mobile Security Technology  Planning for Secure Mobile Access – Customer Case Studies 4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    5. 5. Mobile Market Trends - Security is essential Companies exposing more APIs and services on the Internet to support mobile applications % 90 companies with mobile apps in 2014 5 76% of Mobile Apps store passwords on the device – 10% in plain text 2/3 companies expect to deploy corporate app stores to control delivery of mobile applications Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    6. 6. Mobile Security - Challenges on IT  IT has to manage the typical Control Access struggle between access and control  IT is asking itself: – How do I enable the business to take advantage of mobile access, while maintaining required levels of control – How do we maximize the user experience while minimizing risk – How do we support the organizations BYOD policy 6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    7. 7. Why is mobile causing IT more headaches?  Mobile access complicates information and application architecture discussions • How secure is the network? Do we need offline support? What happens to corporate data when the device is lost or stolen? What policies control access to application and data? How will the device connect (WiFi/cell)? Where will it connect from (GEO)? • • • • • 7 Ownership Device/App Type Security • • • • • Which devices should we support (iOS, Android..)? What’s the best type of application (Web, Hybrid, Native)? How to quickly develop secure apps? How do we run corporate apps in a secured encrypted environment without inhibiting mobile productivity? Where to securely host to request and provision apps? Copyright © 2012, Oracle and/or its affiliates. All rights reserved. • • • We can control corporate owned devices, but what about personal owned devices? What’s our BYOD policy? Do we need a separate infrastructure and team to maintain mobile security? All of this before I even figure out authentication and authorization requirements !!!!
    8. 8. Web, Hybrid and Native apps – What does it all mean? full capability  Web – Limited device interaction – app typically written to render HTML to device form factor  Hybrid Applications – Embed HTML5 apps inside a thin native container – simplifies development and delivery across multiple platforms Native Hybrid single platform multiple platforms Web  Native Applications – Specific to a given platform, fully capable (specialized development environments such as Xcode) 8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. partial capability
    9. 9. Mobile Security Terms – Variety of technology Many of the security terms you have heard focus on device security (MDM) MDM MAM Container Registration 9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Shift towards more focused device security to enable BYOD – Mobile Application Management Traditional Access Management challenges also need to be addressed – Authentication, SSO…
    10. 10. What’s need in a Mobile Access Management solution API Security  Bridges the gap between mobile devices and IAM control  Provides context-driven, risk-aware access management Device & Location Context Device Registration  Simplifies developer access to IAM  Supports BYOD  Quickly and securely exposes sensitive corporate resources  Provides visibility and control 10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Secure Transactions MANAGEMENT Single Sign-on
    11. 11. Oracle Access Management Mobile & Social Mobile Security 11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Social Sign-On Standard Interfaces
    12. 12. Configurable Access Management Service  Mobile Security Platform – Authentication and SSO – Strong Authentication, Device Fingerprinting and Risk-based access – Mobile SDK  Internet / Social Integration  REST / Cloud Interfaces 12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    13. 13. Mobile Security Architecture Mobile Device DMZ Mobile Interfaces IDM Infrastructure Access Management Oracle SDK Authorization Native App API Device Fingerprinting & Tracking Device Registration OAM Service OES Service Features OAAM Service Lost & Stolen Devices GPS/WIFI Location Awareness Platform Security Services (OPSS) Risk-based KBA & OTP Web App OPSS Service Authentication API Transactional risk analysis White & Black Lists Directory Services Security App 13 User Self Registration/Self Service REST Copyright © 2012, Oracle and/or its affiliates. All rights reserved. User Profile API User Profile Services White Pages applications
    14. 14. Complete Mobile Security  Requires interface and data flow control policies – RESTful interfaces are the standard method to access/update data from native applications  Securing these interface points is critical – Data-flow policies should be context-driven  Device location, device integrity, identity verification process 14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    15. 15. Secure REST API’s Threat Protection Client Throttling API Control & Governance Transformation API Management & Monitoring { “JSON” } < XML > OAUTH 2.0 Client & Server 15 API Key Management Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Native JSON & XML Processing Access Management API Security – Secure Mobile Access to Corporate Information Extend Access Management to REST API’s • • • • • • • Context Aware Authentication Authorization Fraud Detection Security Tokens Data Redaction Audit
    16. 16. Comprehensive Mobile Security Corporate DMZ Corporate Network Web Traffic Webgate / OHS OAM Protected Resource Mobile and Social REST Traffic Oracle API Gateway API / Web Services 16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Oracle Access Manager Oracle Entitlements Server
    17. 17. Planning for Secure Mobile Applications  Understand the requirement – its more than just technology – Involve all relevant stakeholders – App owners, Security/Risk, Telecoms, IAM, Development teams….  Identify need for written and technology polices  Identify development standards – Hybrid, Native, Web  Understand access points – Client, Server, Perimeter 17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    18. 18. Customer Case Studies 18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    19. 19. Turkey Ministry of Education Abdullah Togay Deputy General Manager- CTO, Ministry of National Education  Overview of systems  How you see Mobile technologies transforming your systems  How are you approaching projects involving these technologies – Analysis, Stakeholders, Planning, Deployment etc.  How do see Oracle’s technology helping you with this  How do you think these technologies will evolve in the coming years. 19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    20. 20. Verizon Wireless Mobile & Social SSO Anup Thomas Associate Director - eCommerce, Self Serve, and Products IT September, 2013 PID# Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
    21. 21. Verizon Wireless - Overview of Business Customer Experience – World-Class Network, Stores, Customer Service Omni Channel View – Web, Mobile, IVR, Retail – eChannels & eSupport – SSO – Global Navigation – Omni Services Mobile & Tablet Web, Retail Self Serve IVR eChannels& eSupport Social Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
    22. 22. Shift in Channel Affinity Towards Mobile Account Management eCommerce Usage Controls Forums Backup Assistant Plus Account Analysis Trend Insights – Sales & Service – Overall transactions – – YoY Increase for Mobile Complex transactions – YoY Increase for Mobile – Optimization – Time to Market – SaaS Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22
    23. 23. Mobile & Social – Planning Approach STEPS GOALS MEASURE – Web & Mobile Analytics •Clear Metrics on current app-app / app-web handoffs •Example: Out of “x” logins per month on the mobile app, “y” represents the number of customers who click through to another “app or web site and “z” represent the abandons DEFINE - ROI •Define Annual Savings (Care Call Deflections, etc.) •Define Incremental Revenue (Sales) •Define Impact to Customer Satisfaction (NPS, etc.) GET- AN EXECUTIVE CHAMPION •Think OOTB for Mobile/Social SSO •Marketing, Sales, Care Sponsors! START WITH A POC / LIMITED TRIAL •Leverage existing SSO infrastructure •Leverage REST services for efficient integration •Stick to your most visible use case (popular app / site SSO) MEASURE POST IMPLEMENTATION METRICS •Measure incremental sales, reduced costs, Customer Satisfaction •Plan Future Phases Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23
    24. 24. Potential Integrated Architecture Mobile Device Web Native App Oracle SDK Social Log In App REST Calls Personal Phrase Oracle M&S Oracle OpenSSO Directory OAAM Real Time Risk Analysis Security Image Core Identity, Access, & Risk Management – Mobile SSO : App to App, App to Web – Authorization – Risk Management – Social Login / Sign On Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24
    25. 25. Potential Future States Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25
    26. 26. Don’t miss these IDM Sessions CON8817 Tuesday 09/24, 5:15PM Moscone West, Room 2018 API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use Ganesh Kirti, Oracle CON8823 Wednesday 09/25, 5:00PM Moscone West, Room 2018 Access Management for the Internet of Things Kanishk Mahajan, Oracle CON8902 Thursday, 09/26 2:00PM Marriot Marquis – Developing Secure Mobile Applications Golden Gate C3 CON8837 Wednesday 09/25, 11:45AM Moscone West, Room 2018 Leverage Authorization to Monetize Content and Media Subscriptions Roger Wigenstam, Oracle CON9024 Thursday 09/26, 2:00PM Moscone West, Room 2018 Next Generation Optimized Directory - Oracle Unified Directory Etienne Remillon, Oracle 26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Mark Wilcox, Oracle
    27. 27. Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud  Complete and Integrated Web Social Mobile  Best-in-class User Engagement Business Process Management  Open standards Content Management Service Integration Business Intelligence Data Integration Identity Management Development Tools 27 Cloud Application Foundation Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Enterprise Management  On-premise and Cloud  Foundation for Oracle Fusion Applications and Oracle Cloud
    28. 28. 28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    29. 29. 29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

    ×