As Published In September/October 2004

Know Who
Know How
By Michael Miley

How companies are using Oracle technology to manage identities

Tony Macedo has a cure for what ails you—if what ails you is the corporate equivalent of multiple personality disorder. He's built an Oracle-based "identity management" server that he hopes to deliver to each of the 12 directorates at Lawrence Livermore National Laboratory (LLNL). Deployed on Oracle Application Server 10g and utilizing Oracle Single Sign-On and Oracle Internet Directory, the server simplifies identity management for any directorate that installs it and for any applications tied into it.

"The platform is the target for user account data, IDs, and passwords provisioned and dispersed by our Computer Security Program department for potentially 8,000 employees at the lab," says Macedo, a computer scientist at California-based LLNL and the Oracle Application Server 10g Infrastructure project manager. "The idea is to get the various directorates out of the business of user account management and to provide a single-sign-on function to applications integrated with the platform. What we want is a common centralized account management scheme, so we can easily say 'create that account, hold that account, or decommission that account,' and it will immediately ripple through every business or scientific system at the lab."

Making Sense of Identity Management

Macedo's solution is timely, inasmuch as corporate "identity disorder" is a common problem in enterprises today. For many organizations, an employee's identity is split among dozens of applications, separate and unknown to each other. The condition often begins on the day of hire, when Human Resources enters the employee into the HR system. Then a similar process is repeated for every application or service the person is given access to—a scenario complicated by the various roles and privileges assigned to each account. The consequences of this fragmentation are often a nightmare, not only for employees who have to remember the right IDs and passwords to use each of their applications but also for administrators who have to track and manage it all.

"The problem is everywhere in business and government organizations," says Jonathan Penn, a principal analyst covering security issues at Forrester Research. "Identity is all over the place, in many different forms. Not only is there a great deal of redundancy and inefficiency, which brings greater cost overhead for IT organizations, but it's also very hard to ensure compliance with security policies and requirements and more difficult to develop and roll out applications and services that can help an organization be agile and responsive."

Earl Perkins, vice president of Security and Risk Strategies at Meta Group—a leading provider of information technology research, advisory services, and strategic consulting—agrees, emphasizing that "there's pressure within business and government to comply with state and federal statutes governing the uses of identity data." The U.S. statutes he's referring to include Sarbanes-Oxley, with rules for certifying the accuracy of financial disclosure and accounting, and Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Right to Privacy Act (FERPA), with rules for protecting the privacy of personal data in healthcare and education, respectively.

Compliance depends on the definition of identity management. "Identity management is typically seen through the eyes of the beholder," says Mary Ann Davidson, chief security officer at Oracle. "Some people think of smart cards or biometrics. Others think of single sign-on or a directory. More broadly, however, it's all the processes and technologies that manage the complete security and identity lifecycle for people and network entities in an organization."

Steps in the identity management lifecycle include creating accounts and modifying privileges, as well as suspending and deleting inactive accounts. And although the identity of application users is the primary focus of many identity management solutions, identity management can also include devices, processes, and applications—and anything else that interacts in a networked environment.

That said, "when it comes to identity management technology, it's useful to think of two major areas," adds Perkins. "The first, identity infrastructure, is what delivers the basic authentication, authorization, directory, and integration services. The second is identity management proper, which delivers user provisioning, workflow (for process automation), delegated administration (including self-service and password administration), and audit logging and reporting capabilities."

"Part of the functionality of the directory service is the ability to create and manage security and access policies, usually in a hierarchical way, with policy inheritance," says Penn. "You start by creating global policies, and underneath that maybe geographic or business unit policies that inherit the global attributes but are more stringent than the enterprise policies. Underneath that, the application policies and user access rules may be more stringent yet."

Identity Management with Oracle

Oracle provides a broad spectrum of identity management functionality within the Oracle 10g Identity Management infrastructure, representing a significant advance over previous releases. "With Oracle 10g, Oracle is taking an important step in the crucial area of identity management," says Uppili Srinivasan, senior director for Identity Management and Security Products at Oracle. "Leveraging our 25 years of experience and strength as a leading vendor well known for its secure products, we're focusing on also becoming a leading vendor well known for its security solutions—and Oracle Identity Management is central to this effort."

Delivered as part of Oracle Application Server 10g and the Oracle Platform Security architecture, Oracle Identity Management provides a foundation for building identity management solutions (see "Oracle Application Server 10g Identity Management Infrastructure). Its components include

• Oracle Internet Directory (OID)—a scalable, secure directory service, compliant with the Lightweight Directory Access Protocol (LDAP) standard, for storing and managing user information
• Oracle Directory Synchronization Service—a directory integration platform that enables the enterprise to connect the identity management directory to legacy or application-specific directories
• Oracle Provisioning Integration Service—a provisioning framework that can be linked to the enterprise provisioning system, such as a human resources application, or operated in standalone mode
• Oracle Delegated Administration Service—a delegated administration model and application that enables the identity manager administrator to selectively delegate management access rights to an administrator of an individual application or directly to a user
• Oracle Application Server Single Sign-On (SSO)—a runtime model for user authentication
• Oracle Application Server Certificate Authority—a system for creating and managing public key infrastructure (PKI) certificates

"Although Oracle Application Server 10g is the primary release vehicle for this set of functions, Oracle Identity Management also serves as a shared security infrastructure for all Oracle products and technology stacks, including Oracle Database, Oracle Collaboration Suite, and Oracle E-Business Suite," says Michael Mesaros, director of Product Management, Oracle Identity Management Products. "It can also serve as a general-purpose identity management solution for user-written and third-party enterprise applications, integrated within an enterprisewide identity management deployment."

"Oracle partners also provide identity management applications that cover a wide range of functionality for authentication, access control, and user management," notes Milan Thanawala, director of Security and Identity Management Business Development at Oracle. "Partners certify with the Oracle Identity Management infrastructure to ensure the proper operation of their products with the infrastructure."

Secure Identity Management with Availability

The Oracle Identity Management infrastructure is appealing to companies, because it addresses real-world needs. For example, Archipelago Holdings LLC, headquartered in Chicago, is the builder of the Archipelago Exchange (ArcaEx), the first open all-electronic stock market in the United States, where customers can openly trade all NYSE-, AMEX-, PCX-, and OTC-listed securities. As part of its drive to provide the best market information to its customers, Archipelago has developed a Web application called ArcaVision, which provides timely market data insight to participating exchange customers—issuers and traders. During the application's development, the IT organization at Archipelago Holdings decided that it needed a single-sign-on solution for these groups, as well as a way to centrally manage all authorization and access-control functions for its users.

With time to market a key consideration, the company decided on an all-Oracle solution. Using Oracle9i Database, Oracle9i Application Server, Oracle Single Sign-On, and Oracle Internet Directory, as well as the J2EE facilities in Oracle Application Server, the IT group was able to provide Web single-sign-on access to internal and external users of ArcaVision, based on the roles and access privileges authorized by the Archipelago customer account team.

"The driving decision for us in deploying an all-Oracle-based system was to have a single vendor accountable for all the components. This provided a tightly integrated solution, helped speed the development cycle, and eliminated finger-pointing between vendors," says Steve Hirsch, managing director of Database Operations at Archipelago. "Because we knew that Oracle Database, Oracle Application Server, Oracle Internet Directory, and Oracle Single Sign-On could easily coexist, we had a shorter time to market and a greater ease of implementation than we would have had otherwise."

ArcaVision's user base includes those people with full access to all the program's features, employees, and traders from the internet. The access controls built in to the system not only provide control over user privileges but also drive the data results, so users get custom reports that deliver exactly the kind of data they request, based on their business relationship and user profiles. "We really take advantage of knowing exactly who is logged in to the site, via the authentication data in OID," notes Hirsch.

ArcaVision has been live for more than a year, and Archipelago IT is adding features continually. "The application was first deployed to internal users but has now expanded to external users," says Hirsch. "Once users have been provisioned by the account managers, they can sign on once and access all the permissioned portions of the site without having to sign on again."

Oracle Identity Management Infrastructure

Distributed Identity Management

Another real-world need addressed by Oracle Identity Management involves the way organizations grow and evolve. Generally, as organizations grow, merge, or acquire new divisions, their systems and applications become more diverse and distributed. A case in point is Lawrence Livermore National Laboratory. LLNL resembles many other large organizations, in that user identity is spread across multiple applications and divisions, requiring users to sign on multiple times and maintain multiple user names and passwords to do their daily business. To address this problem, Administrative Information Services (AIS) at LLNL deployed a central Oracle 10g Identity Management instance to provide single sign-on for applications tied into the system, and a distributed identity management architecture throughout the 12 directorates.

LLNL's Macedo explains, "We began this project by asking some critical questions: How do you implement a centralized single-sign-on scheme when your IT organizations are structured in a highly decentralized manner? And how can you provide infrastructure management autonomy while supporting a centralized SSO scheme? Our answer was built around Oracle Single Sign-On, Oracle Application Server 10g, and Oracle Internet Directory, architected as a high-availability platform for rollout to the various directorates. The system obtains user account and password information from our central Computer Security Program (CSP) organization and spreads it via the identity management platform to all participating applications. It's meant to enlist our directorates in an enterprisewide identity management infrastructure—just the first step in our ultimate goal of providing a federated identity management solution to all of LLNL."

Snapshots Archipelago Holdings LLC Archipelago Holdings LLC, headquartered in Chicago, is home to the Archipelago Exchange (ArcaEx), the first open all-electronic stock market in the U.S. Established in 1999, it trades all NYSE-, AMEX-, PCX-, and OTC-listed securities. The ArcaVision trading and market information application utilizes an Oracle Identity Management infrastructure to provide single sign-on and user account management. Oracle Products Used: Oracle9i Database, Oracle9i Application Server, Oracle Single Sign-On, Oracle Internet Directory, J2EE facilities in Oracle Application Server, Oracle Real Application Clusters Lawrence Livermore National Laboratory Lawrence Livermore National Laboratory (LLNL), in Livermore, California, is a key U.S. Department of Energy laboratory, operated by the University of California. The lab's mission is to apply science and technology in the national interest, with a focus on global security, global ecology, and bioscience. To address the problem of fragmented identities, LLNL has devised an Oracle 10g Identity Management server to provide single sign-on for applications tied into the system as well as a distributed identity management architecture deployable throughout the 12 directorates. Oracle Products Used: Oracle Application Server 10g, Oracle Single Sign-On, Oracle Application Server Portal, Oracle Internet Directory Golden Gate University Golden Gate University (GGU), founded in 1901 in San Francisco, is California's fifth-largest private university, offering undergraduate and graduate programs in business and management, information technology, taxation, and law. The development of GGU's universitywide identity management infrastructure is ongoing and will include Oracle Identity Management infrastructure support for hosted Oracle E-Business Suite applications as well as in-house applications. Oracle Products Used: Oracle Application Server 10g, Oracle Single Sign-On, Oracle Internet Directory Directory, Microsoft Active Directory Agent, Oracle E-Business Suite, Oracle Online

This model has several virtues: autonomous management of all Oracle Application Server services, automatic OID synchronization, and improved SSO performance for issues associated with geographic separation. Its drawback, however, is that LLNL doesn't get true global SSO, which would eliminate the multiple logins when a user crosses to a disparate SSO realm. "Nonetheless, it's an improvement over what exists today: a hodgepodge of user logins for a wide variety of applications," says Macedo. "The result is one highly available solution for our infrastructure services, which we intend to use not only as the target to which the CSP pushes the IDs but also as a metadata repository for all of our production application server instances."

When the platform is fully deployed later this year, AIS will use Oracle's SSO as a front end for its Live Link document management system. It will also tie Oracle Application Server Portal into the central Web content management scheme of the laboratory, where users get access to standard Web content, documents, PDFs, graphics, and so forth.

"Other application candidates on the slate for fairly rapid migration include our most heavily used application—timecard entry—and an integrated worksheet system that houses all our processes and procedures for sensitive work at the lab," says Macedo. "We're happy with the solution, but we're still shooting for the Holy Grail of a federated single-sign-on model, something [we understand] Oracle is working on. It would allow the various directorates to run their own identity management infrastructure but would leverage our CSP's SSO without all the current costs."

An ID Universe

Not only do some businesses have to contend with a heterogeneous set of systems and applications, but many—such as California's fifth-largest private university, Golden Gate University (GGU)—have a diverse, ever changing set of users. GGU's user base includes nearly 20 distinct user communities. As part of its drive to streamline identity management for the university while providing a better user experience for its students, faculty, employees, and others, the centralized IT department is in the process of providing an enterprisewide identity management strategy, including an Oracle Identity Management infrastructure. Tied in to half a dozen Oracle-hosted Oracle E-Business Suite applications, the solution will provide a directory integration and single-sign-on layer to broker identities across academic and business applications and a variety of infrastructure components connecting three data centers in the western U.S.

"One of our identity management goals is to create an integrated point of entry through a Web site portal for many of our enterprise applications and data, so single sign-on is a big deal for us and we need to extend it beyond our employees," says Anthony Hill, chief technical officer at GGU. "We're also building role-based personalization into the Web site, which will create individualized workspaces for people, based on their roles. The identity source of record will still be the applications, but identity data will be consolidated and leveraged across Oracle Internet Directory as well as Novell's eDirectory and Microsoft's Active Directory, to create a hub-and-spoke model to greatly simplify identity management across GGU. We hope to reduce help desk calls for password resets—which consume 70 percent of our help desk time—and to redirect those resources to support new technology and more-efficient technical support."

Hill stresses the need for automated provisioning across the enterprise, not just for the core applications but also for the Web sites and many infrastructure applications, including network access, messaging, academic systems, and student project environments. But whereas most systems or applications will be set up for autoprovisioning, other accounts will use a combination of self- and manual provisioning.

A big challenge for GGU will be combining the in-house and outsourced environments—leveraging Oracle's technology stack at the data center in Austin, Texas, where the ERP infrastructure resides, with the in-house applications at GGU, utilizing the identity management infrastructure.

"Our identity management system faces unique challenges at GGU that you don't often find in corporate America, because of the number of systems we maintain, the high level of transience in the student user base, and the changing roles a single identity can play over time," says Hill. "An individual can be a student, employee, faculty member, and alumnus simultaneously. Therefore, to meet our complex needs, our solution will ultimately combine best-of-breed identity management toolsets with the Oracle Identity Management platform."

Next Steps READ more about Oracle Identity Management LEARN Oracle Identity Management by example DOWNLOAD Oracle Application Server 10g

Coming Soon

Oracle Identity Management is an evolving infrastructure, each component of which has developments and enhancements planned for the near future. Three areas are targeted for enhancements or additional functionality later this year. The platform will provide

• Application Server Agents, making Oracle Single Sign-On more suitable for a heterogeneous enterprise application scenario
• A User Provisioning toolset, including a Web User Provisioning Console, a Workflow component, a set of Service Provisioning Markup Language and Provisioning Connectors, and a set of Directory Connectors that will expand the connection of OID to Novell Nsure (eDirectory) and OpenLDAP directories
• A set of standards-based technologies for federated SSO, provisioning and deprovisioning, and single sign-off.

"As we move forward with providing these enhancements, our overall direction is clear," concludes Oracle's Mesaros. "We're expanding our infrastructure to more efficiently handle distributed enterprise and interenterprise identity management deployments. In the meantime, Oracle 10g Identity Management provides a robust foundation for today's complex identity management needs."

Oracle Partners in Identity Management Although Oracle Identity Management is designed to be a comprehensive infrastructure for identity management, Oracle understands the need for third-party appliances, applications, and toolsets. To that end, Oracle encourages ISVs in the identity management space to develop compatible products. "We work with our partners to help them certify their products with Oracle and provide technical assistance and resources to help them integrate with Oracle in the most efficient manner," says Milan Thanawala, director of Security and Identity Management Business Development at Oracle. "Security in general and identity management in particular are key focus areas for us." Here's a sampling of Oracle Identity Management partners. Authentication VPN/Load Balancers/Firewalls F5 Networks BIG-IP FireGuard 520 provides firewall load balancing, high availability, and maximum security. Citrix NetScaler 9000 Series secures and optimizes Web-based or client/server application traffic. Radware Delivers multilayer enterprise security solutions. Multi-Factor Authentication Bio-key International Provides secure single sign-on for Oracle applications, using fingerprint identification. RSA Security Produces a Java-based smart chip that handles pre- and post-issuance of applets and digital credentials. High-Assurance CA Service RSA Security Makes software for managing digital certificates and providing an environment for authenticated, private, and legally binding electronic communication and transactions. Entrust Develops software that helps you centrally manage the deployment of SSL certificates for multiple Web servers. Enterprise Single Sign-On Passlogix v-GO SSO delivers universal single sign-on to Windows, Web, Java, UNIX, and proprietary applications.