As Published In
Oracle Magazine
March/April 2007

AT ORACLE: Oracle News


Identity Governance Framework

By Jeff Erickson

Oracle proposes a better way to manage sensitive data in heterogeneous environments.

Quick: name every location in your IT system where employee Social Security numbers reside, and which applications have access to them. Not so easy? A new industry specification seeded by Oracle aims to make the task much easier.

Oracle's Identity Governance Framework (IGF) will provide a standard "contract" between applications and data repositories and create a single enforcement and audit point for sensitive information. Oracle has released initial draft specifications of the framework and has submitted the IGF royalty-free to Liberty Alliance. Sun, CA, and Novell back the specifications, as do key identity and access management vendors such as Ping Identity and Securent.

"Building a solution that only works with the Oracle stack is not what our customers need," says Amit Jasuja, vice president of product development for Oracle's security and identity management products. "So we used our unique vantage point as both an infrastructure and enterprise application company to really analyze the situation and come up with a solution that the industry can adopt to help all our customers."

The initial IGF framework has four main components:

Client Attribute Requirement Markup Language (CARML) is an XML-based language used by application developers to specify what identity information an application needs and how the application will use it.

Attribute Authority Policy Markup Language (AAPML) allows identity sources to specify constraints on how information can be used by applications.

CARML API enables developers to write applications that use identity-related data in a way that conforms to the policies guarding the use of that data.

Identity Attribute Service is a policy-enforced service for accessing identity-related data from multiple sources.

"With the IGF in place," says Jasuja, "an application will state in its CARML file, 'This is the identity information I need, and this is how I'm going to use it.' The customer's AAPML file will say, 'These are the policies that govern how this identity information is to be used.' The IGF will match the two and say, 'If the CARML file's request fits within the parameters outlined by the identity provider's AAPML file, I'll let the transaction go forward.'"

Augmenting Current Standards

The IGF picks up where other standards and open source initiatives—such as Higgins, Bandit, CardSpace, and WS-Trust—leave off. "What they're doing and what we're doing are quite complementary," says Jasuja. "They mostly deal with collecting user data and identity information from the user, but they don't say anything about what happens to it once it shows up in the enterprise. The IGF is about governing the flow of this information from repositories to the business applications that are going to make intelligent use of it to deliver business value."

Customer and Developer Benefits 

Next Steps


 GET your copy of the Gartner Magic Quadrant Paper

Two key benefits of an IGF-based standard will be increased business agility and easier audit compliance. "As things stand, it's very difficult for most organizations to know who's copying what information and for what purpose," says Prateek Mishra, director of security standards at Oracle. As a result, organizations enforce overly strict controls and processes that hinder business operations and impact productivity, flexibility, and efficiency. "The IGF will give them a straightforward way to get clear visibility into how sensitive data is being consumed," says Mishra. Providing a single point of enforcement has another benefit. "It's just plain easier to build strong protections and high availability around a single point," he adds.

Another clear benefit will be faster deployments. "Now an Oracle customer can buy a third-party application and it will come with a declaration up front about the identity information it needs as part of its CARML file," Mishra says.

An IGF-based standard will make life easier for application developers, too. The CARML API relieves developers from having to know the specifics about identity data sources—freeing them to focus on the business requirements and use of identity data rather than how to connect to it. "Developers won't have to care about where the information is coming from," says Mishra. "They'll just state what they need and be done with it."



Send us your comments