As Published In
Oracle Magazine
September/October 2007


Open and Secure

By David A. Kelly

Pfizer uses Oracle security features to open the door to partners and lock down identity and data. William Barnes, Pfizer's manager of identity services, talks about the solution.

Companies have always had a huge interest in controlling who gets to see what information or manage which data. The increased security that results from controlling access to systems and applications is a basic business value. In addition, automating access management increases efficiency and reduces the resources required to manage individual user access to applications or systems.

With today's greater demands for data security, organizations have realized additional benefits from deploying access management, especially in areas such as compliance and federation.

"With the advent of the Sarbanes-Oxley Act [SOX] a few years ago, capabilities like Web access management have become almost the de facto technology that you use to enforce some of the SOX requirements, such as Section 404," says Wynn White, vice president, product marketing, Oracle. "Access control and identity management systems can enable organizations to enforce access and provide a detailed audit trail to show auditors exactly what's happening."

Many organizations have also identified new value in federated access management, which gives business partners greater access to corporate systems and applications.

Federated access management solutions can streamline processes and reduce risk and security vulnerabilities. "The idea is that if you have a trusted partner that they've authenticated to, then you can rely on that authentication to let them into your application without necessarily storing all sorts of private data that might be breached," explains Trent Henry, senior analyst, Burton Group.

In many cases, even organizations that have already deployed access management are taking a fresh look at its potential.

The Expanding Role of Access Management

Pharmaceutical giant Pfizer is a good example of a company that's expanding its use of access management to meet an ever-broadening set of IT challenges and business opportunities. The goal is to treat authentication as an infrastructure service, so that each application can require the proper form of authentication from users.

This structure is important because the company's pharmaceutical research and development efforts around developing and marketing new drugs entail both applications that are low sensitivity, with a low risk of information disclosure and loss of data integrity, and high sensitivity, with high requirements for absolute data integrity and for ensuring that data not be disclosed to those who shouldn't have access. The company started by leveraging two Oracle products to build a unified—and centralized—portal for more efficient internal and external access.

"We use Oracle Access Manager and the Oracle Virtual Directory products for our identity and access management infrastructure," says William Barnes, manager of identity services, Pfizer. "We've worked closely with Oracle over the past two years to develop a solution that enables individual users to select the level of authentication that's right for the task they're trying to do."

That solution, a portal called, enables a more-flexible authentication system for organizations and their partners. The solution allows end users to determine what form of credential they would like to use—from logon IDs and passwords to digital certificates or two-factor authentication options.

As one example of how flexible authentication can be, Pfizer is a member of the biopharmaceutical group Signatures and Authentication for Everyone (SAFE), an organization that delivers electronic credentials for business-to-business transactions. In accessing the portal, an internal Pfizer user might use a standard logon ID/password combination, and an external partner might use a SAFE certificate. Alternatively, a mobile user accessing the system from a kiosk might use a secure ID one-time password-type device such as RSA's SecurID or the standardized, open source Open Authentication (OATH) secure token.

"The hope is that by allowing users to select what they want to use, it gives them the greatest control over the experience they intend to have," explains Barnes. "One of the major business benefits of this approach is allowing people to use a credential they may already have."

According to Burton Group's Henry, having a centralized facility to enforce and support access management policies throughout multiple applications is a fairly popular approach. "The idea is that no matter what application a user is accessing, the organization can rely on the same types of authentication framework," says Henry. "That reduces the management burdens and helps to eliminate potential mistakes that might occur."

Centralizing Authentication



 Location: New York City
 Industry: Pharmaceutical
 Employees: 100,000
 Oracle products: Oracle Database, Oracle Access Management, Oracle Identity Management

With its centralized authentication service, Pfizer has taken the authentication process out of each application and put it in the hands of the end user. And in the future, Pfizer can immediately take advantage of any new authentication methods that it wants to deploy, such as biometric or fingerprint-type authentication options.

"Authentication is probably one of the hottest areas in technology today, so we're not prescriptive on exactly what forms we will leverage," says Pfizer's Barnes. "But as new ones emerge, we see this as the single place where we can make them available."

Of course, another important aspect of access management for Pfizer is being able to manage risk better by ensuring that the proper level of authentication is required for specific applications. For example, some applications might have a low risk associated with access to their data, while others might require very high data integrity.

"Our authentication portal has multiple levels of trust associated with different levels of authentication," Barnes says. "We think that this is really important. Going forward, it will allow application developers either to lower or raise the bar required to get access to information and protect the integrity of the data."

Eventually, using this framework, Pfizer expects that it could leverage the use of national IDs, which might be issued through the European Union or by individual countries. "As national and international identity providers emerge, we see this framework as giving us the ability to link directly to them," adds Barnes. "And we will continue to work with Oracle to enhance the native capabilities of Oracle Access Manager and Oracle Virtual Directory to provide the functionality of the authentication portal."

The Evolution of Access Management 

Next Steps

READ more about
Oracle Identity Management
Oracle Audit Vault
Oracle Database Vault
Security Solutions from Oracle

Access management has come a long way in the past few years. But as organizations struggle to meet new compliance and security requirements and to reach out to partners and customers in a secure and manageable way, access management seems poised to play an even greater role in the corporate IT infrastructure.

"Over the past few years, the adoption of federation technologies has become much more prevalent," says Eric Leach, senior group product manager, access management, Oracle. "That means that organizations can use their baseline Web access management deployments and layer on standards-based federation products that can greatly simplify the integration of business partners."

For many companies, the need to interact efficiently with more organizations—whether it's suppliers, outsourcers, partners, customers, or someone else—will only increase. At the same time, organizations need to increase their agility and keep pace with changing business environments.

"A lot of new requirements have come in since most organizations originally adopted access management," Leach adds. "From compliance and auditing requirements to federation needs to stronger authentication requirements, now is the time for organizations to reconsider their access management solutions and opportunities in a broader context." 

David A. Kelly ( is a business, technology, and travel writer who lives in West Newton, Massachusetts.

Send us your comments