Managing Identity DiversityBy David Baum
Move from managing identities to managing relationships with Oracle Identity Management.
Identity management technology has progressed rapidly over the last 10 years, driven by a growing body of financial regulations, a widely distributed workforce, and an increasingly diverse application landscape. Identity management applications must securely support many types of users—from distributors to contract manufacturers to customers—all of whom need to be authorized to use corporate information systems.
“Historically, identity management has been mostly concerned with managing user information, often in the context of a centralized enterprise environment,” says Gerry Gebel, vice president and service director, identity and privacy strategies, Burton Group.
“With the rise of distributed work groups and the prominence of Web-enabled applications, identity management technology is becoming more focused on the identity of individuals,” Gebel says. “In the twenty-first century; we’re not just managing identities; we’re managing relationships.”
Managing relationships makes perfect sense to the IT pros at Chick-fil-A, a quick-service restaurant chain with 1,400 locations in 37 states and Washington DC.
“Your online identity is one of the first relationships you receive as an operator with Chick-fil-A,” says Jason Headley, manager of Chick-fil-A’s integration and data services team. “Our information systems are a key part of what our business owners need to be successful, so consistent access to these systems is critical. We depend on Oracle Identity Manager to provision identities for the systems that employees need to access.”
Chick-fil-A has created a wide-area network that provides persistent connections to every one of its restaurants. Since June 2006, it has been using Oracle Identity Management software to provision 60,000 staff, operators, and team members and to simplify access to the applications needed to manage the businesses.
In 2001 Chick-fil-A wrote a custom provisioning solution using Microsoft Visual Basic. It handled basic provisioning functions but was not extensible enough to support additional systems without extensive custom code changes. The company purchased Oracle Identity Manager and Oracle Access Manager to create a more flexible identity management environment.
“One of the biggest drivers for selecting Oracle was its stability as a company. With so much consolidation and flux in the space, we wanted a partner we knew would be committed to the business five years down the road,” says Joshua Figaretti, lead of the enterprise architecture team at Chick-fil-A. “Oracle has good software for provisioning, directory access, and authorization, along with a cohesive vision for where they are going in the [identity management] space.”
The team used Oracle Identity Manager to create a new provisioning system that works with Microsoft Active Directory, Microsoft Exchange, and Oracle E-Business Suite. As the central hub for storing and managing user identities, Oracle Identity Manager now manages provisioning to all of Chick-fil-A’s authorization stores.
“Oracle Identity Manager replaced our custom Visual Basic program and laid a foundation for authorization, access, and provisioning on an enterprise scale,” Figaretti says. “We’re starting to reap the benefits of a single-sign-on system with fine-grained authorization to our portal applications via Oracle Virtual Directory. Oracle Identity Manager gives us one central place to manage identities, and Oracle Virtual Directory provides a platform to access these identities whether or not these systems are compatible with LDAP.”
Chick-fil-A is also using XML to expose its identity and access management functions within a service-oriented architecture. Because Chick-fil-A deploys its password management capability as a reusable service, developers will have an easier time integrating that function with new and existing applications.
Amit Jasuja, vice president of development for Oracle’s identity management product line, says Chick-fil-A’s strategy matches Oracle’s stated direction for service-oriented security, an architecture that decouples hard-coded security features from enterprise applications to create reusable services and protocols.
“Service-oriented security enables organizations to simplify and centralize critical security processes including authentication, authorization, user administration, role management, identity virtualization and governance, and entitlement management, as well as audit and control, in a modular, standards-based fashion,” Jasuja says.
“The vision of identity services embodied in the Oracle Identity Management road map is very attractive to us,” says Figaretti. “We are moving toward a standards-based authorization service in conjunction with Oracle fine-grained authorization.”
Already the Oracle Identity Management software has enabled Chick-fil-A to respond to business needs more effectively. “We can tie new applications to the existing identity framework without a lot of custom work or investment in provisioning,” Figaretti says. “In 10 years, we have expanded from a [US]$600 million company to a [US]$2.9 billion company, and we need to be able to easily bring new systems online to support this growing business. Oracle is helping us devise an authoritative, central source for identity management functions that simplifies our infrastructure and helps us meet regulatory requirements.”
According to Oracle’s Jasuja, governance, risk, and compliance remain the primary drivers for investing in identity management software. “In the past, it was all about reducing costs and securing assets,” he says. “Now it is about having the right policies in place.”
For the State of Delaware, the catalyst for implementing a centralized identity management system was the annual open-enrollment project, in which state employees select healthcare plans and benefits. In 2006 state officials decided to put the process online using Oracle’s PeopleSoft eBenefits module—and to implement a single-sign-on process for other applications as well.
“We used open enrollment as the catalyst for an enterprisewide identity and access management project,” recalls Lynn Hersey-Miller, chief program officer for Delaware’s Department of Technology and Information (DTI). Hersey-Miller and her team evaluated several market-leading identity management products. They picked the Oracle Identity and Access Management Suite for its tight integration with Oracle’s PeopleSoft applications, the flexibility of its federated identity management capabilities, and its sophisticated multiple-factor authentication capabilities. “We wanted to develop a long-term solution that would govern access to all types of applications, not just PeopleSoft applications,” Hersey-Miller says. “We felt confident that the Oracle product was going to do what we needed it to do.”
The state purchased the Oracle Identity and Access Management Suite in June 2006 and went live with its new open-enrollment system in February 2007. Three months later, approximately 12,000 employees used the Oracle software to enroll for their benefits.
“Getting the majority of state employees to renew their benefits online was a huge undertaking, so we wanted to make it as simple as possible,” says Michele C. Ackles, deputy principal assistant in DTI. “It’s not easy to convince 15,000 people that something they have done on paper all their lives will work [online], let alone be easy to understand.”
Pn Narayanan, DTI’s project management team leader, saw the open-enrollment project as an opportunity to deploy centralized identity management that could support other software applications as well. “In the past, individual agencies created unique security capabilities for just about every application,” he says.
Oracle’s Jasuja says developing discrete authentication, access, and provisioning capabilities for each application is not uncommon, partly because doing so ensures a highly granular level of control. However, such practices become a maintenance headache for developers and a burden for the user community, which has to remember unique user IDs and passwords for multiple applications. That’s why he believes centralized investments in identity management software quickly pay for themselves. “Centralized directories are simpler to maintain over time,” he says, “and dealing with distinct security for each application complicates audits and compliance efforts.”
In the State of Delaware’s case, the new identity management framework supports single sign-on to three applications. One is the open-enrollment application, which will soon enable all 35,000 state employees to renew their health benefits. The second is a public safety application that enables 8,000 law enforcement officers and court officials to review protective orders as part of the Violence Against Women Act. The third is a transportation application that lets approximately 700 truckers file their International Motor Fuel Tax paperwork online.
Additionally, DTI is working with Delaware’s Office of Pensions to support Oracle’s PeopleSoft ePay module. This will give government workers a consistent login process for reviewing retirement and payroll processes from anywhere in the world. The advantages of single sign-on will soon apply to Delaware citizens as well, many of whom use the internet to access public information resources.
“When citizens enroll in a state college, report a crime, or sign up for a business license, we want them to be able to use one login and password,” says DTI’s Narayanan. “They should feel like they are dealing with one state, no matter how many agencies they interact with.”
David Baum (firstname.lastname@example.org) is a freelance business writer based in Santa Barbara, California.