An Identity Management EvolutionBy Caroline Kvitka
Oracle Identity Management 11g delivers service-oriented security, native integration across the suite, and hot-pluggability so components can be added on as needed.
Oracle recently announced Oracle Identity Management 11g, a comprehensive product suite that includes identity management, access management, identity analytics, directory services, identity federation, entitlements, information rights management, and more. Caroline Kvitka, Oracle Magazine senior managing editor, sat down with Amit Jasuja, vice president of development, identity management and security products, at Oracle, to get the details. The following is an excerpt from that interview. Download the full podcast at oracle.com/magcasts.
Oracle Magazine: Why is identity management important, and how has it evolved in the last few years?
Jasuja: Identity management is a core infrastructure requirement. Companies need to secure who has access to business applications and information, and identity management delivers on that need. Looking at how things have evolved, identity management has gone from being a nice-to-have technology to a must-have. It’s become more of a compliance-driven mandate as opposed to what used to be mostly a nice-to-have cost avoidance or productivity tool.
As regulatory pressure continues to grow, businesses need to be able to control and continuously monitor who has access to what. As the threat landscape changes and people are more worried about cybersecurity and identity theft, what was traditionally a single-sign-on solution needs to evolve to a risk-based access control solution.
Oracle Magazine: How does Oracle Identity Management 11g address the evolving needs of business?
Jasuja: There are three important aspects of Oracle Identity Management 11g that I’d like to highlight. The first is service-oriented security. Instead of delivering identity management as a set of siloed technologies that do access control, provisioning, and directory all separately, Oracle has delivered all of these capabilities as a set of services that are integrated, standards based, and ready to be rapidly deployed to secure business applications. We expect companies with thousands of business applications to be able to integrate them with Oracle Identity Management 11g very quickly.
Second, we have ended the debate over choosing best of breed or an integrated suite for identity management. Oracle Identity Management 11g is integrated, standards based, and best of breed. Everything is based on a single user interface. There is native integration between the different products. So if you want to use the password expiration detection capabilities of Oracle Access Management Suite with the password reset capabilities of Oracle Identity Manager, these two components of Oracle Identity Management 11g are already designed to work together.
Third, all of the Oracle Identity Management 11g products are hot pluggable, meaning that they don’t all have to be deployed at the same time. They can be deployed in a piecemeal fashion, which is important for a lot of companies, because often budgets are limited. Also, if a company wants to leverage its existing identity management technologies, it can layer just the new Oracle Identity Management 11g components that are needed on top.
Oracle Magazine: What is an example of service-oriented security in action?
Jasuja: One of the examples that I like to use is that of developing any new application. Within companies, there’s often a set of applications that are delivered out of the box, such as PeopleSoft or Siebel applications, but then there are hundreds more applications that companies are building on their own using infrastructure like Oracle WebLogic Server or IBM WebSphere. All of these applications need to be integrated with the identity infrastructure.
With Oracle Identity Management 11g, we have exposed all the basic building blocks of identity management—including authentication, authorization policies around who can access what, roles, and so on—as a service, allowing companies to develop applications rapidly and securely as they integrate them with their identity management infrastructure. So their applications are natively built to take advantage of the Oracle Identity Management 11g infrastructure, as opposed to the old style, where security would always be reverse-engineered into the business application as an afterthought.
Oracle Magazine: In terms of integration, what is an example of how Oracle Identity Management 11g is solving business challenges?
Jasuja: In the past, customers who deployed identity management products often had difficult user experiences by way of installation, configuration, how they collected and used audit data in reports, and whether they could look at a combination of risk factors such as device identification or geolocation to authenticate users and, therefore, mitigate risks around identity theft.
What we’ve done with the suite is taken the core products and created seamless integration across a range of cross-product use cases. Let’s say that I go to a Website, and I try to log in but I have forgotten my password. I can answer a challenge question and have a new password sent to me via an SMS message to my phone, and I can use that phone-based SMS to reset my password and gain access to my business application again.
In the past, companies would have to often tie two or three different technologies together to be able to achieve this. But with our suite, we have integrated Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager to address this flow completely out of the box.
Oracle Magazine: What are some other standout features in the suite?
Jasuja: There are a number of very interesting features that we have delivered in Oracle Identity Management 11g—let me highlight a couple of them.
With Oracle Access Manager 11g, we have a native session server built in. This allows Website administrators to have complete visibility over who is actually using a system from a central place.
Historically, all Web single-sign-on technologies have been cookie-based and, as a result, completely stateless. That means that if the Website administrator detects a hacker or somebody who should not have access, there is nothing the administrator can do to disallow access—other than taking the site down. With the session server in Oracle Access Manager 11g, if any suspicious activity is detected, it can be pinpointed down to a user, and the administrator can terminate the user’s session centrally so that when the user tries to access the application, he or she will have been logged out—and denied access. That’s a very important capability of Oracle Access Manager.
Let’s look at user administration. Historically most provisioning and role management products were separate. People would do role management using one tool, and they would do account access management within various applications through a provisioning product.
Oracle Magazine: How do you see identity management technology continuing to evolve?
Jasuja: There are three dimensions that are becoming much more important as we look at identity. First, there is a convergence of what we call physical and logical identity. More and more organizations are trying to use primary identity form factors, such as a driver’s license, a phone, or a badge for identification. This identity needs to be accepted all of the way through all of the different business applications that a user is accessing.
Second is the proliferation of devices that are being used more and more to access content and collaborate with others over the internet. These devices and what people are trying to do dramatically increase the scale and flexibility requirements on traditional identity infrastructure—especially in being able to work with a broad range of tokens for authentication, rapid establishment of trust, privacy control, and profile management.
The final area that’s important is cloud computing. As people move toward the cloud, the whole area of security is becoming very important, and within that identity management has an important role to play. Businesses have questions about security and the cloud: How does a company enable itself so that its business users and their applications can be deployed in a cloud environment?
How does identity management itself get delivered as a cloud service? And how do companies that are already cloud providers secure that cloud environment so that they can deliver business applications in a multitenant fashion to multiple consumers and multiple enterprises? Identity management is an area that over the next three to four years will be undergoing a dramatic shift as the enterprise software model transforms toward a new delivery model, and we are looking forward to working closely with our customers to get them there.
Caroline Kvitka is a senior managing editor of Oracle Magazine and Profit.
Send us your comments