How Oracle approaches the problem of identity management
Thursday, January 12, 2006 02:41 PM
For most security software initiatives, it's hard to calculate a clear return on the investment. It's like working backward to calculate the benefit of something bad not happening.
Identity management initiatives are different, however. There are clear and measurable cost savings to be had in reduced administration time and increased employee productivity due to less time spent resetting passwords. These cost savings can be measured and estimated even when breaches don't occur.
The latest version of Oracle Identity Management, announced in June, 2005, is the first release since Oracle acquired Oblix in March. Oracle also recently announced the acquisition of user provisioning provider, Thor Technologies, and virtual directory provider, OctetString, in November 2005.
Foundation: Directory services
A directory service is the base of all identity management efforts. While the Oracle Identity Management products support most leading directories, Oracle also offers its own directory service. Oracle's directory service is called Oracle Internet Directory (OID), and because it stores its data in an Oracle Database, it leverages the scalability, reliability, parallel processing, high availability (via Real Application Clusters) and security features of that platform. The user list can grow to the millions without concern that the data store won't be able to scale effectively.
Oracle has also now added virtual directory capabilities with Oracle Virtual Dirctory, a solution added from the recent OctetString acquisition. This virtual directory capability provides a LDAP view of identity data regardless of where it resides physically, thus accelerating identity management deployments.
Identity and access features
Oracle COREid Access and Identity has been in service for seven versions. Its existing customer base exceeds 250 companies, some of whom manage millions of user identities.
In addition to delivering single sign on capabilities that comprise the bread and butter of most access control offerings, it also includes:
- Dynamic group management. Instead of adding users to groups individually, which doesn't scale well, Oracle Identity Management can dynamically add them based on user attributes. When a user changes roles within the organization, group memberships are automatically updated, with the effect that permissions are added and removed at the group level with minimal operator time.
- User self-service registration, profile update, and password reset. Users can add themselves to system services, which starts an approval process using a built-in workflow system. Requests are routed to decision-makers automatically, and upon approval, the user is granted access without direct system administrator time being required. For resetting passwords, the user can validate using a shared secret, and the system will reset the password, again without help desk assistance.
- Delegated administration. Various parts of the organization can be granted permission to administer their own user base via Oracle Delegated Administration.
- Centralized auditing and logging. Failed login attempts are tracked systemwide, and a series of pre-built reports can be run to monitor compliance.
Automated provisioning
Once user identities and their access permissions are managed centrally, that control can then be extended to databases, applications, and other identity stores via Oracle Xellerate Identity Provisioning. This part of Oracle Identity Management uses an extensible system of adapters as well as unique Adapter Factory technology to propagate access privileges to specific applications and systems, including support for leading business applications, groupware and legacy systems. These adapters protect the organization's investment in current applications and infrastructure, operate within the heterogeneous data centers and systems most companies possess and further leverage existing identity management initiatives. Oracle Xellerate Identity Provisioning is based on the recently acquired Thor Technologies' Xellerate offerings. Its scalability has been demonstrated by deployment in some of the most extensive provisioning installations.
Using Oracle Identity Management, users and groups can be managed centrally. For example, Windows domain logons, Oracle Financials applications, SAP Manufacturing applications and Lotus Notes e-mail may all be managed by separate IT groups. Cost savings are realized by making a single change at a centralized location, instead of requiring administrators of all such systems to make the change. Oracle Xellerate Identity Provisioning synchronizes the identity data across the various systems automatically.
Federated identity
While the single sign on capabilities provided by Oracle COREid Access and Identity deliver access to corporate resources within an enterprise without repeated log-ins, Oracle COREid Federations allows the same enterprise to deliver seamless secure access to its partners' users without repeated log-ins. Relying on industry agreed-to standards, such as SAML, Liberty, and WS Trust, partners or agencies that span different domains "trust" one another's users' credentials, which allows for streamlined access to each others' applications. This allows each organization to operate independently and cooperate for business purposes. Unique to Oracle COREid Federation is the capability to manage multiple partners and choose from industry standard federated identity solutions all from within one self-contained software product that companies can easily distribute to their partners.
Web services management
Identity management first arose from the need to centralize the security across disparate applications so that developers no longer wrote such when building each of their applications. This allowed security of all applications to be managed and applied in a uniform fashion. In a similar approach, the need for Web services management has come to the fore: security policy and management of the individual Web services is best centralized so it can be uniformly leveraged and applied commonly across all Web services. Oracle Web Services Manager does just this, adding policy-driven best practices to existing or new Web services while also delivering security and management capabilities necessary when deploying Service-Oriented Architectures. Oracle Web Services Manager allows an organization to centrally define policies that govern Web services operations (such as access policy, logging policy and load balancing), and then wrap these policies around Web services without requiring modification to those services.
The bottom line
Oracle's identity management solutions are positioned to be the security backbone of all services performed in the middle tier. Spanning the initial creation of a user identity and its associated privileges to management of such as it changes and evolves to deprovisioning of a user when the user leaves an organization or is terminated, the automated management of user identities and access privileges results in cost savings from reduced administration, improved compliance reporting and increased efficiencies in working with partners.
Play video
There are currently no comments for this post.