Con8896 securely enabling mobile access for business transformation - final

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1

Securely Enabling Mobile Access for Business TransformationLee HowarthOracle Product Management


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program Agenda

Introduction to Mobile Security

Oracle’s Mobile Security Technology

Planning for Secure Mobile Access– Customer Case Studies


Mobile Market Trends - Security is essential

90%companieswith mobileapps in2014

Companies exposing more APIs and services on the Internet to support mobile applications

76% of Mobile Apps store passwords on the device – 10% in plain text

2/3 companies expect to deploy corporate app stores to control delivery of mobile applications


Mobile Security - Challenges on IT

IT is asking itself:– How do I enable the business to

take advantage of mobile access, while maintaining required levels of control

– How do we maximize the user experience while minimizing risk

– How do we support the organizations BYOD policy

IT has to manage the typical struggle between access and control

Acc

ess

Co

ntr

ol


Why is mobile causing IT more headaches?

Mobile access complicates information and application architecture discussions

Security

• How secure is the network?

• Do we need offline support?

• What happens to corporate data when the device is lost or stolen?

• What policies control access to application and data?

• How will the device connect (WiFi/cell)?

• Where will it connect from (GEO)?

• Which devices should we support (iOS, Android..)?

• What’s the best type of application (Web, Hybrid, Native)?

• How to quickly develop secure apps?

• How do we run corporate apps in a secured encrypted environment without inhibiting mobile productivity?

• Where to securely host to request and provision apps?

• We can control corporate owned devices, but what about personal owned devices?

• What’s our BYOD policy?• Do we need a separate

infrastructure and team to maintain mobile security?

All of this before I even figure out authentication and authorization requirements !!!!

Device/App Type Ownership


Web, Hybrid and Native apps – What does it all mean?

Web – Limited device interaction – app

typically written to render HTML to device form factor

Hybrid Applications– Embed HTML5 apps inside a thin

native container – simplifies development and delivery across multiple platforms

Native Applications– Specific to a given platform, fully

capable (specialized development environments such as Xcode)

single platform

multiple platforms

full capability

partialcapability

Native Hybrid

Web


Mobile Security Terms – Variety of technology

Container

MDM

MAM

Registration

Many of the security terms you have heard focus on device security (MDM)

Shift towards more focused device security to enable BYOD – Mobile Application Management

Traditional Access Management challenges also need to be addressed – Authentication, SSO…


What’s need in a Mobile Access Management solution

Bridges the gap between mobile devices and IAM control

Provides context-driven, risk-aware access management

Simplifies developer access to IAM Supports BYOD Quickly and securely exposes

sensitive corporate resources Provides visibility and control

MOBILE ACCESS

MANAGEMENT

Single Sign-on

SecureTransactions

DeviceRegistration

Device & LocationContext

API Security


Standard Interfaces

Mobile Security

Social Sign-On

Oracle Access Management Mobile & Social


Configurable Access Management Service

Mobile Security Platform– Authentication and SSO

– Strong Authentication, Device Fingerprinting and Risk-based access

– Mobile SDK Internet / Social Integration REST / Cloud Interfaces


Mobile Security Architecture

Native AppNative App

Web AppWeb App

Authorization

Authentication

User Profile

Authorization

Authentication

User Profile

Oracle SDK

Oracle SDK

Security AppSecurity App

Access ManagementAccess Management

OAAM ServiceOAAM Service

OAM ServiceOAM Service Device RegistrationDevice Registration

Lost & Stolen DevicesLost & Stolen Devices

GPS/WIFI Location AwarenessGPS/WIFI Location Awareness

Device Fingerprinting & TrackingDevice Fingerprinting & Tracking

Risk-based KBA & OTPRisk-based KBA & OTP

Transactional risk analysisTransactional risk analysis

Directory ServicesDirectory Services

Platform Security Services (OPSS)Platform Security Services (OPSS)

User Profile ServicesUser Profile Services

API API

API API White Pages applicationsWhite Pages applications

User Self Registration/Self ServiceUser Self Registration/Self Service

API API

Mobile Device Mobile Interfaces IDM Infrastructure Features

OPSS ServiceOPSS ServiceAPI API

White & Black ListsWhite & Black Lists

OES ServiceOES Service

DMZ

REST REST


Complete Mobile Security

Requires interface and data flow control policies– RESTful interfaces are the standard method to access/update data

from native applications Securing these interface points is critical

– Data-flow policies should be context-driven Device location, device integrity, identity verification process


API Security – Secure Mobile Access to Corporate Information

Transformation

API Control & Governance

API Management & Monitoring

ThreatProtection

Client Throttling

SecureREST API’s

Ac

ce

ss

Ma

na

ge

me

nt

ExtendAccess Management to REST API’s

• Context Aware• Authentication• Authorization• Fraud Detection• Security Tokens• Data Redaction• AuditOAUTH 2.0

Client & ServerNative JSON & XML

Processing

< XML >

{ “JSON” }

API Key Management


Comprehensive Mobile SecurityCorporate DMZ Corporate Network

Mobile and Social

Webgate / OHS

API / Web Services

Oracle Access Manager

Oracle API Gateway

Web Traffic

REST Traffic

OAM Protected Resource

Oracle Entitlements Server


Planning for Secure Mobile Applications

Understand the requirement – its more than just technology– Involve all relevant stakeholders – App owners, Security/Risk, Telecoms,

IAM, Development teams….

Identify need for written and technology polices Identify development standards

– Hybrid, Native, Web

Understand access points– Client, Server, Perimeter


Customer Case Studies


Turkey Ministry of Education

Overview of systems How you see Mobile technologies transforming your systems How are you approaching projects involving these technologies –

Analysis, Stakeholders, Planning, Deployment etc. How do see Oracle’s technology helping you with this How do you think these technologies will evolve in the coming years.

Abdullah Togay Deputy General Manager- CTO, Ministry of National Education

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

PID#

Verizon Wireless

Mobile & Social SSO

Anup ThomasAssociate Director - eCommerce, Self Serve, and Products ITSeptember, 2013

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21

Verizon Wireless - Overview of Business

Omni Channel View– Web, Mobile, IVR, Retail

– eChannels & eSupport

– SSO

– Global Navigation

– Omni Services

Mobile & Tablet Web,Retail Self Serve

Customer Experience – World-Class Network, Stores, Customer Service

IVR eChannels&eSupport

Social


Shift in Channel Affinity Towards Mobile

Trend Insights– Sales & Service

– Overall transactions

– YoY Increase for Mobile

– Complex transactions

– YoY Increase for Mobile

– Optimization

– Time to Market

– SaaS

eCommerceAccount Management

BackupAssistant

Plus

Account Analysis

Forums

Usage Controls


Mobile & Social – Planning Approach

MEASURE – Web & Mobile Analytics •Clear Metrics on current app-app / app-web handoffs•Example: Out of “x” logins per month on the mobile app, “y” represents the number of customers who click through to another “app or web site and “z” represent the abandons

DEFINE - ROI

START WITH A POC / LIMITED TRIAL •Leverage existing SSO infrastructure•Leverage REST services for efficient integration•Stick to your most visible use case (popular app / site SSO)

MEASURE POST IMPLEMENTATION METRICS •Measure incremental sales, reduced costs, Customer Satisfaction•Plan Future Phases

STEPS GOALS

•Define Annual Savings (Care Call Deflections, etc.)•Define Incremental Revenue (Sales)•Define Impact to Customer Satisfaction (NPS, etc.)

GET- AN EXECUTIVE CHAMPION •Think OOTB for Mobile/Social SSO•Marketing, Sales, Care Sponsors!


Potential Integrated Architecture

– Mobile SSO : App to App, App to Web

– Authorization

– Risk Management

– Social Login / Sign On

Oracle SDK

Oracle SDK

AppApp

Mobile Device

Oracle OpenSSO

Oracle OpenSSO OAAMOAAM

Security Image

Security Image

PersonalPhrase

PersonalPhrase

Web

Real Time Risk Analysis

Real Time Risk Analysis

Native App

Core Identity, Access, & Risk Management

OracleM&S

OracleM&S

REST Calls

Directory

Social Log In


Potential Future States


Don’t miss these IDM Sessions

CON8817 Tuesday 09/24, 5:15PM

Moscone West, Room 2018

API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use

Ganesh Kirti, Oracle

CON8823 Wednesday 09/25, 5:00PM


Access Management for the Internet of Things Kanishk Mahajan, Oracle

CON8902 Thursday, 09/26 2:00PM

Marriot Marquis – Golden Gate C3

Developing Secure Mobile Applications Mark Wilcox, Oracle

CON8837 Wednesday 09/25, 11:45AM


Leverage Authorization to Monetize Content and Media Subscriptions

Roger Wigenstam, Oracle

CON9024 Thursday 09/26, 2:00PM


Next Generation Optimized Directory - Oracle Unified Directory

Etienne Remillon, Oracle


Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud

Complete and Integrated

Best-in-class

Open standards

On-premise and Cloud Foundation for Oracle Fusion

Applications and Oracle Cloud

User Engagement

Identity Management

Business Process

Management

Content Management

Business Intelligence

Service Integration Data Integration

Development Tools

Cloud Application Foundation

Enterprise Management

Web Social Mobile



Con8896 securely enabling mobile access for business transformation - final

Technology

oracle andor

mobile security challenges

mobile productivity

mobile causing

mobile apps store passwords

focused device security

developer access

policies control access