Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1
Securely Enabling Mobile Access for Business TransformationLee HowarthOracle Product Management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Program Agenda
Introduction to Mobile Security
Oracle’s Mobile Security Technology
Planning for Secure Mobile Access– Customer Case Studies
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
Mobile Market Trends - Security is essential
90%companieswith mobileapps in2014
Companies exposing more APIs and services on the Internet to support mobile applications
76% of Mobile Apps store passwords on the device – 10% in plain text
2/3 companies expect to deploy corporate app stores to control delivery of mobile applications
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
Mobile Security - Challenges on IT
IT is asking itself:– How do I enable the business to
take advantage of mobile access, while maintaining required levels of control
– How do we maximize the user experience while minimizing risk
– How do we support the organizations BYOD policy
IT has to manage the typical struggle between access and control
Acc
ess
Co
ntr
ol
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
Why is mobile causing IT more headaches?
Mobile access complicates information and application architecture discussions
Security
• How secure is the network?
• Do we need offline support?
• What happens to corporate data when the device is lost or stolen?
• What policies control access to application and data?
• How will the device connect (WiFi/cell)?
• Where will it connect from (GEO)?
• Which devices should we support (iOS, Android..)?
• What’s the best type of application (Web, Hybrid, Native)?
• How to quickly develop secure apps?
• How do we run corporate apps in a secured encrypted environment without inhibiting mobile productivity?
• Where to securely host to request and provision apps?
• We can control corporate owned devices, but what about personal owned devices?
• What’s our BYOD policy?• Do we need a separate
infrastructure and team to maintain mobile security?
All of this before I even figure out authentication and authorization requirements !!!!
Device/App Type Ownership
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
Web, Hybrid and Native apps – What does it all mean?
Web – Limited device interaction – app
typically written to render HTML to device form factor
Hybrid Applications– Embed HTML5 apps inside a thin
native container – simplifies development and delivery across multiple platforms
Native Applications– Specific to a given platform, fully
capable (specialized development environments such as Xcode)
single platform
multiple platforms
full capability
partialcapability
Native Hybrid
Web
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.9
Mobile Security Terms – Variety of technology
Container
MDM
MAM
Registration
Many of the security terms you have heard focus on device security (MDM)
Shift towards more focused device security to enable BYOD – Mobile Application Management
Traditional Access Management challenges also need to be addressed – Authentication, SSO…
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
What’s need in a Mobile Access Management solution
Bridges the gap between mobile devices and IAM control
Provides context-driven, risk-aware access management
Simplifies developer access to IAM Supports BYOD Quickly and securely exposes
sensitive corporate resources Provides visibility and control
MOBILE ACCESS
MANAGEMENT
Single Sign-on
SecureTransactions
DeviceRegistration
Device & LocationContext
API Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
Standard Interfaces
Mobile Security
Social Sign-On
Oracle Access Management Mobile & Social
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
Configurable Access Management Service
Mobile Security Platform– Authentication and SSO
– Strong Authentication, Device Fingerprinting and Risk-based access
– Mobile SDK Internet / Social Integration REST / Cloud Interfaces
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.13
Mobile Security Architecture
Native AppNative App
Web AppWeb App
Authorization
Authentication
User Profile
Authorization
Authentication
User Profile
Oracle SDK
Oracle SDK
Security AppSecurity App
Access ManagementAccess Management
OAAM ServiceOAAM Service
OAM ServiceOAM Service Device RegistrationDevice Registration
Lost & Stolen DevicesLost & Stolen Devices
GPS/WIFI Location AwarenessGPS/WIFI Location Awareness
Device Fingerprinting & TrackingDevice Fingerprinting & Tracking
Risk-based KBA & OTPRisk-based KBA & OTP
Transactional risk analysisTransactional risk analysis
Directory ServicesDirectory Services
Platform Security Services (OPSS)Platform Security Services (OPSS)
User Profile ServicesUser Profile Services
API API
API API White Pages applicationsWhite Pages applications
User Self Registration/Self ServiceUser Self Registration/Self Service
API API
Mobile Device Mobile Interfaces IDM Infrastructure Features
OPSS ServiceOPSS ServiceAPI API
White & Black ListsWhite & Black Lists
OES ServiceOES Service
DMZ
REST REST
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14
Complete Mobile Security
Requires interface and data flow control policies– RESTful interfaces are the standard method to access/update data
from native applications Securing these interface points is critical
– Data-flow policies should be context-driven Device location, device integrity, identity verification process
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15
API Security – Secure Mobile Access to Corporate Information
Transformation
API Control & Governance
API Management & Monitoring
ThreatProtection
Client Throttling
SecureREST API’s
Ac
ce
ss
Ma
na
ge
me
nt
ExtendAccess Management to REST API’s
• Context Aware• Authentication• Authorization• Fraud Detection• Security Tokens• Data Redaction• AuditOAUTH 2.0
Client & ServerNative JSON & XML
Processing
< XML >
{ “JSON” }
API Key Management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16
Comprehensive Mobile SecurityCorporate DMZ Corporate Network
Mobile and Social
Webgate / OHS
API / Web Services
Oracle Access Manager
Oracle API Gateway
Web Traffic
REST Traffic
OAM Protected Resource
Oracle Entitlements Server
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17
Planning for Secure Mobile Applications
Understand the requirement – its more than just technology– Involve all relevant stakeholders – App owners, Security/Risk, Telecoms,
IAM, Development teams….
Identify need for written and technology polices Identify development standards
– Hybrid, Native, Web
Understand access points– Client, Server, Perimeter
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
Customer Case Studies
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19
Turkey Ministry of Education
Overview of systems How you see Mobile technologies transforming your systems How are you approaching projects involving these technologies –
Analysis, Stakeholders, Planning, Deployment etc. How do see Oracle’s technology helping you with this How do you think these technologies will evolve in the coming years.
Abdullah Togay Deputy General Manager- CTO, Ministry of National Education
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
PID#
Verizon Wireless
Mobile & Social SSO
Anup ThomasAssociate Director - eCommerce, Self Serve, and Products ITSeptember, 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
Verizon Wireless - Overview of Business
Omni Channel View– Web, Mobile, IVR, Retail
– eChannels & eSupport
– SSO
– Global Navigation
– Omni Services
Mobile & Tablet Web,Retail Self Serve
Customer Experience – World-Class Network, Stores, Customer Service
IVR eChannels&eSupport
Social
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22
Shift in Channel Affinity Towards Mobile
Trend Insights– Sales & Service
– Overall transactions
– YoY Increase for Mobile
– Complex transactions
– YoY Increase for Mobile
– Optimization
– Time to Market
– SaaS
eCommerceAccount Management
BackupAssistant
Plus
Account Analysis
Forums
Usage Controls
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23
Mobile & Social – Planning Approach
MEASURE – Web & Mobile Analytics •Clear Metrics on current app-app / app-web handoffs•Example: Out of “x” logins per month on the mobile app, “y” represents the number of customers who click through to another “app or web site and “z” represent the abandons
DEFINE - ROI
START WITH A POC / LIMITED TRIAL •Leverage existing SSO infrastructure•Leverage REST services for efficient integration•Stick to your most visible use case (popular app / site SSO)
MEASURE POST IMPLEMENTATION METRICS •Measure incremental sales, reduced costs, Customer Satisfaction•Plan Future Phases
STEPS GOALS
•Define Annual Savings (Care Call Deflections, etc.)•Define Incremental Revenue (Sales)•Define Impact to Customer Satisfaction (NPS, etc.)
GET- AN EXECUTIVE CHAMPION •Think OOTB for Mobile/Social SSO•Marketing, Sales, Care Sponsors!
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24
Potential Integrated Architecture
– Mobile SSO : App to App, App to Web
– Authorization
– Risk Management
– Social Login / Sign On
Oracle SDK
Oracle SDK
AppApp
Mobile Device
Oracle OpenSSO
Oracle OpenSSO OAAMOAAM
Security Image
Security Image
PersonalPhrase
PersonalPhrase
Web
Real Time Risk Analysis
Real Time Risk Analysis
Native App
Core Identity, Access, & Risk Management
OracleM&S
OracleM&S
REST Calls
Directory
Social Log In
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25
Potential Future States
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.26
Don’t miss these IDM Sessions
CON8817 Tuesday 09/24, 5:15PM
Moscone West, Room 2018
API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use
Ganesh Kirti, Oracle
CON8823 Wednesday 09/25, 5:00PM
Moscone West, Room 2018
Access Management for the Internet of Things Kanishk Mahajan, Oracle
CON8902 Thursday, 09/26 2:00PM
Marriot Marquis – Golden Gate C3
Developing Secure Mobile Applications Mark Wilcox, Oracle
CON8837 Wednesday 09/25, 11:45AM
Moscone West, Room 2018
Leverage Authorization to Monetize Content and Media Subscriptions
Roger Wigenstam, Oracle
CON9024 Thursday 09/26, 2:00PM
Moscone West, Room 2018
Next Generation Optimized Directory - Oracle Unified Directory
Etienne Remillon, Oracle
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.27
Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud
Complete and Integrated
Best-in-class
Open standards
On-premise and Cloud Foundation for Oracle Fusion
Applications and Oracle Cloud
User Engagement
Identity Management
Business Process
Management
Content Management
Business Intelligence
Service Integration Data Integration
Development Tools
Cloud Application Foundation
Enterprise Management
Web Social Mobile
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
Top Related