As Published In July/August 2006

Access Granted
By David A. Kelly, with David Baum

Identity management enables security for privacy and regulatory mandates.

Organizations traditionally have invested in security technology to prevent unauthorized users from gaining access to private information or restricted IT services. Over the past few years, the scope and importance of security technologies in general, and identity management in particular, has changed. New identity management and security capabilities—as found in Oracle's identity management offerings—can increase developer productivity while lowering costs and helping to address today's stringent compliance requirements.

Snapshots Burlington Coat Factory www.burlingtoncoatfactory.com Location: Burlington, New Jersey Industry: Clothing, home furnishings Number of employees: 30,000 Oracle Products: Oracle Database, Oracle Real Application Clusters, Oracle Data Warehouse, Oracle Internet Directory, Oracle Retail Price Management, Oracle Human Resources, Oracle Portal Ingersoll Rand www.irtools.com Location: Hamilton, Bermuda Industry: Industrial manufacturing Number of employees: 40,000 Oracle Products: Oracle Access Manager

"Identity management solutions like Oracle's can accelerate the deployment of new systems," says George Jucan, CEO at Open Data Systems, a Toronto-based consulting services company. "In terms of [development] effort, security can represent 30 to 40 percent of any new system. Having all those security features contained in a centralized system that is equipped to fully manage security takes a lot of cycles out of the development effort."

Not only can a good identity management solution simplify development, it can also speed up application deployment by standardizing security components, reducing application and user maintenance requirements, and creating greater consistency in the way business policies are applied. Moreover, identity management helps organizations comply with new regulatory obligations by enabling companies to enforce access control mechanisms that segregate the duties of users. Identity management also helps to automate the processes around compliance, and it enables the creation of audit trails, which track access to applications.

Burlington Coat Factory Warehouse, in Burlington, New Jersey, has experienced some of these benefits firsthand. The national retailer has been using Lightweight Directory Access Protocol (LDAP) services for some of its identity management needs for more than five years, but managers realized that they needed to consolidate and coordinate their growing LDAP stack more efficiently. Burlington deployed Oracle Internet Directory (OID) to leverage its existing directory service. "We use Oracle Internet Directory as our primary identity management hub, synchronizing pertinent information to other LDAP servers for deployment throughout the enterprise," says Chris Lundell, network administrator, Burlington.

Lundell explains that OID maps password and account expiration information to an OpenLDAP (an open source implementation of LDAP) server cluster for UNIX authentication and authorization, effectively replacing Sun Network Information System. OID has its own set of password policies and account lockout/expiration policies. These policies are mapped to their UNIX equivalents in real time, keeping all UNIX accounts up-to-date. "It's a seamless and straightforward way to manage the process," says Lundell.

Burlington also uses OID to synchronize with Microsoft's Active Directory. Accounts in Active Directory are managed in much the same way that the UNIX accounts are managed. "Identity management is becoming core to our IT operations," says Lundell. "Burlington Coat Factory is becoming very LDAP-centric, and Oracle Internet Directory is a natural fit for centralizing and coordinating our diverse and evolving LDAP stack. For us, OID is indispensable."

Managing Extranet Complexity

While identity management solutions can simplify operations for an individual company such as Burlington, Mike Neuenschwander, vice president and research director at analyst firm Burton Group, says today's identity management solutions often open applications to business partners and customers as well. "Identity management is becoming a very important enabler, particularly in federation scenarios where the administrative burden of account management for distributed users can be overwhelming," he says.

Identifying the Management Components A complete identity management solution needs to include a wide range of functionality to manage a broad scope of security and identity-related challenges. Consider the functional components of an identity management solution, and the Oracle products that address them. Access and identity. A key aspect of identity management is administering users and their privileges and controlling access to applications and enterprise resources. Oracle Access Manager provides centralized access management for heterogeneous environments and administrative capabilities such as delegated administration and identity self-service functionality. Federation. As organizations move to extend IT access to users outside the company, they need solutions that will ensure security and enable practical connectivity with external parties. Oracle Identity Federation provides cross-domain single sign-on and helps large corporations securely link their business partners into a corporate portal or extranet while complying with regulatory and security requirements. Provisioning. Identifying and administering users is one thing; provisioning them is another. Oracle Identity Manager automatically manages user access privileges across heterogeneous resources throughout their full lifecycle, from original creation to eventual deprovisioning. Directory. For many organizations, a key component of identity management is a centralized directory that serves as the central user repository. Oracle Internet Directory simplifies user administration and provides a standards-based, scalable application directory for heterogeneous enterprises. Virtual directory. Virtual directories are important for providing views of enterprise information without synchronizing or moving data from its native location. Oracle Virtual Directory provides scalable, reliable LDAP and XML views of existing enterprise information regardless of where it is physically located. Web services management. As Web services proliferate, organizations need solid ways to manage them. The Oracle Web Services Manager solution adds policy-driven identity management technology to existing or new Web services.

Ingersoll Rand is a good example of how this works. The company, which provides products, services, and integrated solutions to industries ranging from transportation and manufacturing to food retailing, construction, and agriculture, experienced steady growth partly due to its strong dealer channel. As Ingersoll Rand grew—and its applications proliferated—it needed a way to simplify access to applications and improve user lifecycle management. The company used identity management to streamline interactions with its partners.

"Prior to implementing our dealer portal, our dealers had to visit separate Web sites, based on brand, to access content about orders, warranties, and sales and marketing," says Jim McDonald, IT manager at Ingersoll Rand. "Having multiple Web sites created confusion for our dealers—they didn't always know which Web site to visit to accomplish particular tasks." Added frustration came from managing many usernames and passwords—especially in light of password change cycles. "From a compliance perspective, we wanted a more-centralized way to audit the access records and user-access patterns across brands," McDonald says.

To mitigate these issues, Ingersoll Rand implemented a brand portal built on Oracle Access Manager. One of the most important features of this single-sign-on system, called IR Passport, is how it allows Ingersoll Rand to delegate user administration at multiple levels, such as by region, district, and dealer, significantly reducing the user-management bottleneck at Ingersoll Rand's help desk.

"We wanted to minimize the impact to the existing application footprint to keep costs down," McDonald explains. "Oracle Access Manager has a hot-pluggable architecture that integrates well with our other applications."

Thanks to this hot-pluggable architecture, Ingersoll Rand's application developers didn't need to be experts in identity management to take advantage of Oracle Access Manager software, which passes authenticated users to each application. "Oracle Access Manager gives us a best-of-breed security solution, and we've reduced our need to worry about ever-changing security standards," says McDonald. "Essentially, we have moved that job to Oracle, and we depend on Oracle to maintain security and encryption."

Managing Users Effectively

Just as identity management technologies enable organizations such as Burlington Coat Factory and Ingersoll Rand to streamline internal operations, they also help technology companies expand their customer bases. For Transfer Solutions BV, an Oracle partner and systems integrator based in the Netherlands, being able to offer a portfolio of security solutions is an important part of winning new projects. "Our customers are definitely concerned about the security of their data and applications," says Bert Dondertman, technical architect at Transfer Solutions. "As a result, identity management and application security are becoming more important to our business."

Meeting Compliance Challenges Regulations such as the Sarbanes-Oxley Act, HIPAA, and the European Data Privacy Directive seek to provide greater visibility into business processes, and companies have often responded by implementing comprehensive internal control frameworks. The regulatory impact includes requirements to secure access to information by controlling who has access to it and to create documentation for process, application, and IT controls, whether these controls are corrective, detective, or preventive. Organizations affected by these regulatory requirements often have to certify periodically (every three to six months) that only appropriate individuals have access to critical information systems; they also must be able to prove compliance for an internal or external audit team. Many of the common control deficiencies that auditors look for occur when identity management is still built into each individual application, and multiple applications need to be managed. These deficiencies include, for example, a delay in terminating access either when an employee leaves or is promoted, thus accumulating privileges to applications for which the employee no longer needs access. Further compliance issues arise when password policies are not enforced across all systems, and when users have access to applications that conflict from a business perspective—such as when a clerk with rights to the purchasing system also has access to the accounts payable system. Compliance requirements drive investment in identity management technology, which addresses these control deficiencies by providing a framework to manage users and their access rights. And the urgency to implement comprehensive access and security solutions is increasingly global. "Judging by our own customer base, these regulatory drivers often cut across national boundaries," says Harald Collet, director of risk assurance solutions at Oracle. "Many of our European customers are concerned about data privacy or the Sarbanes-Oxley Act since they may have exposure on U.S. stock exchanges or on U.S. financial markets. Chinese banks may be concerned about corporate governance requirements when they have to raise public debt in international markets. Japanese organizations are facing the new Japan Corporate Governance Act, which will go into effect in 2008. These global security and regulatory issues that are driven by the interconnected capital markets require the same kinds of protections for financial information and customer information everywhere." Data privacy is one issue that can't be addressed in just one part of the business. Data, application, and access requirements must be addressed globally through consistent authorization policies. "When it comes to security, our customers are focused on regulatory compliance," says Collet. "That reflects the new operational reality faced by many companies." Addressing compliance issues is one way that organizations can keep their data safe, secure, and confidential.

Transfer Solutions recently completed a project for the Employers' Insurance Organization in the Netherlands that will encompass approximately 3,000 users by the end of 2006. Transfer Solutions integrated Oracle Internet Directory with Microsoft Active Directory to enable single sign-on for users via native Kerberos authentication on the Windows platform. "The users benefit because they have one identity and don't have to separately log into multiple applications," says Dondertman. "For our part, allowing Oracle to manage security means we have to configure only one component, instead of developing specialized code. It's much quicker."

It's certainly easier than designing applications and application security the old-fashioned way. "Several years ago, every application had its own identity management capabilities, and as a result there were many places in a company where user information was stored," says Dondertman. "But that is very difficult to maintain," he adds. "When someone leaves the company, for example, every system needs to be updated. It can be a huge problem if you overlook one of them." However, with an integrated identity management approach, modifying access privileges when an employee's position changes or a new employee is added becomes much easier.

Secure from All Angles

Security attacks on company and personal data—and business managers' awareness of IT security needs—have increased dramatically in recent years. These needs are addressed by security and identity management products, which have evolved from niche products that are applicable to specific instances to more-generalized infrastructure solutions that can be leveraged across Oracle and non-Oracle environments. For example, Oracle Security Developer Tools, which ship with Oracle Application Server, are pure Java toolkits that can be used to enable federation and interoperability between client and server resources in many types of IT environments. According to Howard Bae, product manager for identity and access management at Oracle, these tools support everything from low-level cryptographic algorithms to certificate management. They also include secure messaging capabilities such as S/MIME and CMS, along with application-programming interfaces for XML security, Web services security, digital signatures, and encryption. This makes it easier for developers to build centralized security and identity management capabilities into applications from the start—rather than having to retrofit solutions after the fact.

"We know of no security needs that cannot be satisfied by Oracle Identity Management," says Open Data Systems' Jucan. For example, in environments where LDAP directories already exist, Open Data uses Oracle Virtual Directory to integrate with Oracle Internet Directory. In other instances, the company uses Oracle Access Manager to enable self-service registration of corporate users and to manage the provisioning of privileges and user profiles across multiple systems.

Oracle Access Manager also streamlines the reporting and auditing of user profiles while providing single sign-on and enforcing access policies.

"With Oracle's expanded identity management offerings, we have a complete toolset at our fingertips," says Jucan. "Oracle Identity Management can provision anything—even for the most-complex IT environments that we've seen. All the tools have been seamlessly integrated into one suite to further simplify development and deployment."

Identity Management and SOA

As more organizations adopt service-oriented architectures (SOAs), the issue of identity management expands beyond simply managing user identities to encompassing discrete business services. "When you start working with distributed services, where applications need to call out to other applications and services to request a price quote or something similar, you need to be able to verify the identity and access rights of all the distributed pieces," says Burton Group's Neuenschwander.

Next Steps READ more about identity management LEARN about identity management

"SOA security is all about ensuring that application-to-application communication is secure," says Wynn White, senior director of security marketing, Oracle. "You don't want to hard-code security logic into individual Web services. Instead, you want to point each pertinent Web service to a centralized security server, where they can subscribe to a centrally maintained security policy. This addresses the same problem that identity management addressed for user-to-application communication a decade ago."

Ingersoll Rand has found the business value in centralizing identity management and providing single sign-on. "We have a complex and heterogeneous technical environment," says McDonald. "We run applications in .NET, J2EE, and even Lotus Domino. With Oracle Asset Manager's hot-pluggable architecture, it was relatively easy to integrate them all. Now when our dealers sign into one application, they are signed into all of them—regardless of the underlying technology. The key focus of this project was making it simple for dealers to do business with Ingersoll Rand. When our independent dealers look to expand their product offerings, we want them to think of Ingersoll Rand first. We think that making it easier to do business with us is the first step. That's really the value proposition for us."