Oracle has unveiled the Oracle Access Management Suite, which it says will help businesses comply with Section 114 of the Fair and Accurate Transactions Act (FACTA), better known as the Red Flag Rules. This becomes law November 1, and applies to any company that extends or deals with credit, from auto dealers to banks and financial institutions to retailers.
Businesses to which the Red Flag Rules apply must create written plans to detect and respond to suspicious transaction patterns that might indicate identity theft. The plans have to be updated to keep pace with changing trends in financial crime.
Detecting and responding to suspicious transaction patterns will require access control, policy management and a means of identity confirmation, all of which are provided in the Oracle Access Management Suite.
"Concerns about fraudulent charges due to identity theft are forcing companies to adopt better authentication technology, and risk based authentication with identity proofing is one piece of the solution," Amit Jasuja, vice president of Oracle Identity Management, told InternetNews.com. "The other piece is to have one single identity so you can log in once and access all your applications, whether they're internal or external to your company."
The Oracle Access Management Suite offers standards-based single sign-on and identity federation, strong authentication (define) and authorization management, and real-time proactive fraud prevention.
By doing so, it improves security for Web-based applications, an area that's becoming increasingly important for two reasons: enterprises are increasingly moving applications to the Web; and the latest credit card security standards, PCI-DSS 6.6, require that businesses put a Web application firewall on all customer-facing applications.
Authorization control is a critical part of compliance, and the Oracle Entitlements Server provides fine-grained authorization (define) capabilities that prevent users from accessing or looking at documents they are not entitled to. "If, for example, I'm a cardiologist and I have a relationship with a patient; authorization control lets me only access the patient's cardiogram output but not, say, a biopsy report," Jasuja explained.