COMMENT: Analyst's Corner
Managing IdentitiesBy David Baum
Get to know who’s who in cyberspace.
Gerry Gebel, vice president and service director for identity and privacy strategies, Burton Group, talked with Oracle Magazine about managing known and unknown users in the internet domain.
Oracle Magazine: What are the essential ingredients of today’s identity management systems?
Gebel: From a technology viewpoint, the core components you need to consider are directory services, authentication, and user provisioning. You also need to automate account management and deal with changes in status when people join and leave your organization.
Oracle Magazine: Does setting up role-based identity management simplify these processes?
Gebel: Yes, role management structures permissions and user responsibilities around the types of positions people occupy rather than according to individual identities per se. Role definitions reveal the business-oriented relationships that need to be represented in many identity management systems. For example, roles can help determine the accounts created and access granted by a user-provisioning system, and Web access management tools can make authorization decisions based on the role of a user. Further, roles help auditors and administrators determine if security controls are upholding the business and security policies of an organization.
Oracle Magazine: How do regulatory requirements drive identity management initiatives?
Gebel: Regulatory compliance is the No. 1 driver for identity management investments. You have to be able to audit, certify, and attest that an organization’s application environment is set up and operating the way it is intended to operate.
Oracle Magazine: How do IT organizations obtain buy-in for their identity management initiatives?
Gebel: IT professionals have always faced significant challenges when attempting to justify investments for identity management projects. It comes down to knowing your audience and their individual pain points and motivations so you can develop an argument that is convincing. It’s best if you can relate your technical needs to the business challenges at hand, whether it’s finding a more cost-effective and efficient way to handle SOX audits or driving down costs for IT administration.
Oracle Magazine: What are the key identity management issues that businesses must address when working outside their own organizations?
Gebel: The internet enables us to do business with people that we’ve never met before, and I think most organizations have embraced this global model. So much business activity is outsourced to partners and contractors or purchased as a service in this era of specialization, because the economics demand such decisions. How do you verify and authenticate so many different kinds of people? In a traditional employer-to-employee relationship, the company has checked my references, recorded my social security number, and knows all about me. I don’t always have that same kind of relationship with partners—and especially not with occasional customers. So I shouldn’t necessarily try to manage these types of credentials and identities in the same way.
Oracle Magazine: How does Oracle technology support identity management across different organizations?
Gebel: Oracle offers identity management products such as authentication, Web access management, and federation that form the technology basis for connecting with partners, suppliers, and customers in different security domains. In addition, Oracle is an active participant in several standards organizations, which provides the opportunity for its customers to interoperate in heterogeneous scenarios.
Oracle Magazine: How does service-oriented security facilitate distributed relationships?
Gebel: Service-oriented security can be fundamental to these modern identity management implementations, but it requires a new mindset to put these systems into practice. We are seeing more organizations approach identity management in a services-oriented fashion—similar to how they are building applications. Using simple services interfaces enables a more flexible architecture and implementation. Few standards or best practices exist at the moment, but many people are working toward this goal.
David Baum (firstname.lastname@example.org) is a freelance business writer based in Santa Barbara, California.
Burton Group provides IT research and advisory services to executives and technologists at Global 2000 organizations.