Saturday, February 28, 2009

Sync Oracle Calendar to Google Calendar + iCal + iPhone

I've been searching for a reliable method to automate the synchronization of events from Oracle Calendar (formerly CorporateTime) to my Google Calendar, iCal on my Mac, and internal iPhone calendar on my iPhone.


Recently I learned of a promising iPhone app available at iTunes called Todo+Cal+Sync that could do most of what I was looking for with synchronizing calendars. However, I didn't want to fork over $14.99 for an application that, instead of importing Oracle Calendar events into the native iPhone calendar, added an additional calendar application on my iPhone. Synthesis AG, the developer of the Todo+Cal+Sync application, is required to do this because of limitations imposed by Apple's iPhone software development kit (SDK). In other words, Apple does not allow 3rd part applications, such as Todo+Cal+Sync, to access the internal iPhone calendar, nor sync with iCal. This is a risk/benefit that Apple needs to manage; is the benefit of restricting access to the internal iPhone calendar worth the impact it has on the development of 3rd party applications and subsequent ripple effect? Until Apple's iPhone SDK allow such access, I did not want two calendar applications and continued looking for something that would better match my needs.

After digging around and tinkering with different solutions, I worked out a method that did exactly what I wanted. To make this solution even better, it cost $0 - in other words, FREE!

Below are the steps that I came up with to make the calendar sync work for me. Steps 1-3 are also useful for those who do not necessarily have an iPhone or iTouch but want to sync their Oracle Calendar with other devices and/or calendar apps that support Google Calendar's CalDAV sync.

  1. Begin by changing your password for your Oracle Calendar user account. Make it a unique password that you are not using anywhere else. In other words, your new Oracle Calendar password should not be the same password as you're using for other email accounts, online banking, eBay, PayPal, etc. This new password should also comply to any password policies that may exist for users of the Oracle Calendar system.
  2. Create a "magic" URL using This URL will be used in step #3. You will want your magic URL to look something like the following:

Example - Oracle Calendar supporting https on port 443,30)

SECURITY WARNING - There is an increased security risk with this method. It's up to you to determine if this is a risk you are willing to accept and that it doesn't violate any policies or restrictions imposed by the organization running the Oracle Calendar service that you are using. The risks include:

  • Unauthorized interception of your password from the URL as it's being transmitted to or from
  • itself becoming compromised and allowing an attacker to intercept your password.

In my opinion, the likelihood of the above risks happening are medium to low. You can keep this risk on the lower end by never connecting to untrusted networks or using insecure wireless, which includes wireless networks that use WEP encryption.

Additionally, you will need to determine if the impact of an unauthorized user obtaining your Oracle Calendar password would have a significant impact or not. In most instances, I would imagine the impact would be low.

This is why doing step #1 above is critical in helping minimize the impact if your password was compromised.

Anyone using an application that syncs using the SyncML functionality of Oracle Calendar should take the same precautions irregardless if he or she are using as a proxy to convert SynchML to iCal format.

  1. Go to Google Calendar and add a new calendar by selecting Add by URL . You will use the URL you created from step #2. You may also want to change the display name and color of this new calendar on Google Calendar.

    Do note that Google has stated that external feeds added via the "Add by URL" method should be refreshed every 24 hours.

  1. Download and run Calaboration from Google Code. This will allow you to add your Oracle calendar to your Mac's iCal application. Before you can add the new calendar, click on preferences within Calaboration and enable allowing read only calendars to be added. Make sure your new calendar is selected and let Calaboration do the setup work for you. Your Oracle calendar will then sync with iCal.

  1. Use iTunes to sync Oracle calendar from iCal to your iPhone.

One minor annoying issue I came across was with how day events and day notes from Oracle Calendar were handled by the time they showed up in iCal. Day events and notes from Oracle Calendar showed up in iCal as being a blocked all-day event from 0000-2359. As a quick temporary solution I simply denied day events and notes within Oracle Calendar and re-synced. This temporary approach was acceptable for me since I use Google Calendar to manage my daily notes and I can look at a user's Oracle calendar if I need to know if he or she is on vacation, on-call, etc.

As for effectively managing tasks using your iPhone, see my previous article titled, Tools To Get Things Done.



Saturday, February 7, 2009

Thoughts on IT Security Organizational Structure

I've recently been asking myself how to most effectively structure Information Security (InfoSec) within an organization. Here are some thoughts I've had while trying to answer this.

As with any "structure" there needs to be some form of integral support, whether it's a frame for a house or honeycomb for a beehive. This is also true with organizational structures - there needs to be support. In order for InfoSec to be successful it must have the full support of senior or executive management. This support would be actualized as a sincere commitment by senior management to achieve the following:

  • Develop high standards of corporate governance
  • Treat InfoSec as a critical function that enables an organization to do business
  • Create an environment that understands the importance of, and embraces, InfoSec
  • Consistently show 3rd parties that InfoSec is vital and will always be handled in a professional manner
  • Ensure that controls being implemented by InfoSec are appropriate and proportionate to risk being addressed
  • Stay informed and accept ultimate responsibility and accountability

The first bulleted point in the above list, "Develop high standards of corporate governance", is where the necessary framework is built from which InfoSec can flourish. At a minimum, an effective governance framework includes:

  • An all-inclusive security strategy that links to clearly defined and documented business objectives
  • Security policies that address the multiple facets of security strategy, regulatory compliance and controls
  • Standards for each of the policies to make sure that procedures and guidelines comply with policy
  • An organizational structure void of conflicts of interest with sufficient resources and authority
  • Metrics and monitoring processes to ensure compliance and provide feedback

Again, I want to emphasize that It is imperative that an organization's top management sees InfoSec as a critical business function and is fully committed to stand behind InfoSec. Without the complete assurance from top management we will continue to see security functions getting moved around the organization while adequate resources are never obtained and conflicts of interest are progressively created.

To limit conflicts of interest and actualize the benefits from investing within InfoSec, the Chief Information Security Officer (CISO/ISO) or Information Security Manager (ISM) must report directly to the top of the organizational structure, or an independent branch such as Audit. The trend in the past was to embed central InfoSec within Information Technology (IT), that is, until organizations began realizing that this structure kept InfoSec's hands tied behind their back, significantly reducing InfoSec's overall effectiveness. In other words, organizations were self-limiting their return on investment (ROI) from InfoSec. To resolve this issue and improve the ROI from InfoSec, CISO's/ISO's/ISM's began reporting to the CEO's, CFO's, CTO's and CIO's.


Ok, great, so the ISO should report to the CFO ... then what?

What we want to avoid is a structure with the fragmentation that is commonly seen today. Rather, create a tighter integration of the duties and activities performed by IT Security, Operations, Policy & Compliance, Risk Management and Audit. To anticipate the trends of the future, it’s very likely that individuals and departments taking on central InfoSec duties will also have various risk management responsibilities that extend beyond IT. This can include anything from physical security, business continuity and disaster recovery.


Fact is, too often in industry the security discipline is (mis)directed by technology instead of using a risk analysis and proactive ‘intelligence’ approach. To add to the vicious cycle, when majority of the investment is being put into technology then most of the return comes from there too. This reinforcement perpetuates the destructive spiral.

So, how does a business avoid this technodazed shortsightedness? It comes down to strategy, making the conscious shift to be more strategic. This means moving away from the predictable technology-centric and tactical security operation seen in the industry since the golden days of the dot-gone era. At a high level, for InfoSec to more closely align with and help business achieve its objectives, InfoSec will need to become more focussed on 'intelligence'; gathering information, ability to comprehend, ability to develop policy and plans at a high level, using a methodology of risk analysis and risk mitigation, having the knowledge about an organization's business environment that has implications for its long-term viability and success, thinking long-term, and being both pragmatic and visionary.

Thinking strategically while taking into account anticipation of future trends and using proactive 'intelligence', I believe the wise CISO, or equivalent, who's in a healthy organizational environment needs to start planning for incorporating some of the non-IT specific risk management responsibilities before it's thrust upon them within the next three to five years. There will need to be coordination between IT Security, Operations, Policy & Compliance, Risk Management, Audit and Physical Security.

What this boils down to is that a very effective way to structure InfoSec within an organization involves having the CISO, or equivalent, reporting directly to the senior/executive level of the organization while having their full support, commitment and involvement. This top level commitment includes the development of high standards of corporate governance and actively limiting conflicts of interest so that InfoSec will be effective and provide a high ROI by enabling the organization to do business.