As Published In
Oracle Magazine
September/October 2008

FEATURE


Managing Identity Diversity

By David Baum

Move from managing identities to managing relationships with Oracle Identity Management.

Identity management technology has progressed rapidly over the last 10 years, driven by a growing body of financial regulations, a widely distributed workforce, and an increasingly diverse application landscape. Identity management applications must securely support many types of users—from distributors to contract manufacturers to customers—all of whom need to be authorized to use corporate information systems.

“Historically, identity management has been mostly concerned with managing user information, often in the context of a centralized enterprise environment,” says Gerry Gebel, vice president and service director, identity and privacy strategies, Burton Group.

“With the rise of distributed work groups and the prominence of Web-enabled applications, identity management technology is becoming more focused on the identity of individuals,” Gebel says. “In the twenty-first century; we’re not just managing identities; we’re managing relationships.”

B2B Connections

Managing relationships makes perfect sense to the IT pros at Chick-fil-A, a quick-service restaurant chain with 1,400 locations in 37 states and Washington DC.

“Your online identity is one of the first relationships you receive as an operator with Chick-fil-A,” says Jason Headley, manager of Chick-fil-A’s integration and data services team. “Our information systems are a key part of what our business owners need to be successful, so consistent access to these systems is critical. We depend on Oracle Identity Manager to provision identities for the systems that employees need to access.”

Chick-fil-A has created a wide-area network that provides persistent connections to every one of its restaurants. Since June 2006, it has been using Oracle Identity Management software to provision 60,000 staff, operators, and team members and to simplify access to the applications needed to manage the businesses.

In 2001 Chick-fil-A wrote a custom provisioning solution using Microsoft Visual Basic. It handled basic provisioning functions but was not extensible enough to support additional systems without extensive custom code changes. The company purchased Oracle Identity Manager and Oracle Access Manager to create a more flexible identity management environment.

“One of the biggest drivers for selecting Oracle was its stability as a company. With so much consolidation and flux in the space, we wanted a partner we knew would be committed to the business five years down the road,” says Joshua Figaretti, lead of the enterprise architecture team at Chick-fil-A. “Oracle has good software for provisioning, directory access, and authorization, along with a cohesive vision for where they are going in the [identity management] space.”

The team used Oracle Identity Manager to create a new provisioning system that works with Microsoft Active Directory, Microsoft Exchange, and Oracle E-Business Suite. As the central hub for storing and managing user identities, Oracle Identity Manager now manages provisioning to all of Chick-fil-A’s authorization stores.

“Oracle Identity Manager replaced our custom Visual Basic program and laid a foundation for authorization, access, and provisioning on an enterprise scale,” Figaretti says. “We’re starting to reap the benefits of a single-sign-on system with fine-grained authorization to our portal applications via Oracle Virtual Directory. Oracle Identity Manager gives us one central place to manage identities, and Oracle Virtual Directory provides a platform to access these identities whether or not these systems are compatible with LDAP.”

Chick-fil-A is also using XML to expose its identity and access management functions within a service-oriented architecture. Because Chick-fil-A deploys its password management capability as a reusable service, developers will have an easier time integrating that function with new and existing applications.

Service-Oriented Security

Amit Jasuja, vice president of development for Oracle’s identity management product line, says Chick-fil-A’s strategy matches Oracle’s stated direction for service-oriented security, an architecture that decouples hard-coded security features from enterprise applications to create reusable services and protocols.

“Service-oriented security enables organizations to simplify and centralize critical security processes including authentication, authorization, user administration, role management, identity virtualization and governance, and entitlement management, as well as audit and control, in a modular, standards-based fashion,” Jasuja says.

Snapshots



Chick-fil-A

 Location: Atlanta, Georgia
 Industry: Food service
 Employees: 65,000
 Oracle products: Oracle E-Business Suite, Oracle Database, Oracle Application Server, Oracle Identity and Access Management Suite (Oracle Access Manager, Oracle Identity Manager, Oracle Virtual Directory), Oracle Universal Content Management, Oracle WebCenter (formerly BEA AquaLogic User Interaction), Oracle’s Hyperion SQR Production Reporting
 

State of Delaware

 Location: Wilmington, Delaware (DTI employees)
 Industry: Government
 Employees: 35,000
 Oracle products: Oracle’s PeopleSoft HCM Warehouse and PeopleSoft Financials Warehouse, Oracle Database 10g, Oracle Identity and Access Management Suite

“The vision of identity services embodied in the Oracle Identity Management road map is very attractive to us,” says Figaretti. “We are moving toward a standards-based authorization service in conjunction with Oracle fine-grained authorization.”

Already the Oracle Identity Management software has enabled Chick-fil-A to respond to business needs more effectively. “We can tie new applications to the existing identity framework without a lot of custom work or investment in provisioning,” Figaretti says. “In 10 years, we have expanded from a [US]$600 million company to a [US]$2.9 billion company, and we need to be able to easily bring new systems online to support this growing business. Oracle is helping us devise an authoritative, central source for identity management functions that simplifies our infrastructure and helps us meet regulatory requirements.”

According to Oracle’s Jasuja, governance, risk, and compliance remain the primary drivers for investing in identity management software. “In the past, it was all about reducing costs and securing assets,” he says. “Now it is about having the right policies in place.”

Public Access

For the State of Delaware, the catalyst for implementing a centralized identity management system was the annual open-enrollment project, in which state employees select healthcare plans and benefits. In 2006 state officials decided to put the process online using Oracle’s PeopleSoft eBenefits module—and to implement a single-sign-on process for other applications as well.

“We used open enrollment as the catalyst for an enterprisewide identity and access management project,” recalls Lynn Hersey-Miller, chief program officer for Delaware’s Department of Technology and Information (DTI). Hersey-Miller and her team evaluated several market-leading identity management products. They picked the Oracle Identity and Access Management Suite for its tight integration with Oracle’s PeopleSoft applications, the flexibility of its federated identity management capabilities, and its sophisticated multiple-factor authentication capabilities. “We wanted to develop a long-term solution that would govern access to all types of applications, not just PeopleSoft applications,” Hersey-Miller says. “We felt confident that the Oracle product was going to do what we needed it to do.”

The state purchased the Oracle Identity and Access Management Suite in June 2006 and went live with its new open-enrollment system in February 2007. Three months later, approximately 12,000 employees used the Oracle software to enroll for their benefits.

“Getting the majority of state employees to renew their benefits online was a huge undertaking, so we wanted to make it as simple as possible,” says Michele C. Ackles, deputy principal assistant in DTI. “It’s not easy to convince 15,000 people that something they have done on paper all their lives will work [online], let alone be easy to understand.”

Pn Narayanan, DTI’s project management team leader, saw the open-enrollment project as an opportunity to deploy centralized identity management that could support other software applications as well. “In the past, individual agencies created unique security capabilities for just about every application,” he says.

Next Steps



READ more about Oracle Identity Management
oracle.com/identity
oracle.com/yechnetwork/products/id_mgmt

 INVESTIGATE service-oriented security

 BROWSE the Oracle Identity Management Resource Library

 DOWNLOAD Oracle Adaptive Access Manager

Oracle’s Jasuja says developing discrete authentication, access, and provisioning capabilities for each application is not uncommon, partly because doing so ensures a highly granular level of control. However, such practices become a maintenance headache for developers and a burden for the user community, which has to remember unique user IDs and passwords for multiple applications. That’s why he believes centralized investments in identity management software quickly pay for themselves. “Centralized directories are simpler to maintain over time,” he says, “and dealing with distinct security for each application complicates audits and compliance efforts.”

In the State of Delaware’s case, the new identity management framework supports single sign-on to three applications. One is the open-enrollment application, which will soon enable all 35,000 state employees to renew their health benefits. The second is a public safety application that enables 8,000 law enforcement officers and court officials to review protective orders as part of the Violence Against Women Act. The third is a transportation application that lets approximately 700 truckers file their International Motor Fuel Tax paperwork online.

Additionally, DTI is working with Delaware’s Office of Pensions to support Oracle’s PeopleSoft ePay module. This will give government workers a consistent login process for reviewing retirement and payroll processes from anywhere in the world. The advantages of single sign-on will soon apply to Delaware citizens as well, many of whom use the internet to access public information resources.

“When citizens enroll in a state college, report a crime, or sign up for a business license, we want them to be able to use one login and password,” says DTI’s Narayanan. “They should feel like they are dealing with one state, no matter how many agencies they interact with.”

 

Building Service-Oriented Security


Amit Jasuja, Oracle’s vice president of development for identity management products, talked to Oracle Magazine about service-oriented security. The following is an excerpt from that interview. Download a podcast of the full interview at oracle.com/magcasts.
 

Oracle Magazine: What is service-oriented security, and why is it important?
 

Jasuja: Service-oriented security is designed to bring the security organization and the capabilities that it provides closer to the business units and the application owners that are responsible for delivering applications to customers. The goal is to reduce the cost of integration and improve security adoption within the broader enterprise.
 

We took a page from the Oracle middleware strategy—service-oriented architecture [SOA]—and orchestrated a set of security capabilities developed using standard technology and delivered using standard interfaces.
 

Oracle Magazine: What IT processes does service-oriented security encompass?
 

Jasuja: When you look at a typical IT environment, there are five key steps that applications go through.

The first step is development, where developers build the business applications.
 

The second step is packaging. The completed application needs to be packaged in a set of self-contained components.
 

The third step is deployment. The application is integrated into the typical enterprise environment and deployed on top of standard containers —on top of standard security interfaces.
 

The fourth step is administration. You’ve got this application up and running. You need to define identities and security policies—who can see what—the administration components for that application.
 

The final step is governance, which is ensuring that the application is working as it was designed to work. The people that should be able to do certain things can, and people who should be blocked out are. It’s all about reviewing the audit reports and making sure that the controls and the policies are working right.
 

These are the five processes that we include within service-oriented security.
 

Oracle Magazine: What steps must a company take to get to service-oriented security?
 

Jasuja: This is not a one-step process. You can’t think, “If I deploy this product, I’ll be there.” Service-oriented security is a combination of product and methodology, so adopting the SOA concept is one of the first steps that we recommend our customers move toward. The good news is that most of Oracle’s customers are already very knowledgeable about SOA and the benefits of SOA.
 

The next step is working with the people within the enterprise—typically the developer community that’s building applications—to make sure that they understand the value of separating security from business logic. The value is in centralized control, better governance, and better regulatory compliance.
 

The third step is sharing with the developers some of the new technology pieces that we’re working on here. These concepts make developers’ jobs a lot easier, compared to what they have done in the past, to integrate security within business applications.
 

Then security administrators deploy infrastructure, which is service oriented. And you’re 90 percent of the way to realizing the real benefits of service-oriented security.



 



David Baum
(david@dbaumcomm.com) is a freelance business writer based in Santa Barbara, California.

Send us your comments