For most security software initiatives, it’s hard to
calculate a clear return on the investment. It’s like working backwards:
calculating the benefit of something bad not happening. Identity Management (IdM) initiatives are
different, however. There are clear and measurable cost savings to be had in
reduced administration time, and increased employee productivity due to fewer
password resets. These can be measured and estimated even when breaches don’t
occur.

Oracle’s
solution to the identity management problem is Oracle
Identity Management, announced in June, 2005. This is the first release
since Oracle acquired Oblix in March. In this article, we’ll take a look at the
integrated features of this suite, and how it can lower an organization’s cost
of deploying computer resources.

Building on Oracle’s foundations

Oracle Identity Management builds upon strong identity- and
security-oriented features in its existing products, notable the Oracle
Database 10g and Oracle Application Server 10g. The Oracle Database, for example,
is used as a repository for the various components of Oracle IdM, such as the
LDAP directory, login policies, access policies, and audit logs. This leverages
an organization’s existing investment in fault-tolerance, administrative
personnel, and backup/recovery procedures.

A directory service is the base of all Identity Management.
Oracle’s directory service is called Oracle Internet Directory (OID), and
because it stores its data in an Oracle Database, it leverages the scalability,
reliability, parallel processing, high availability (via Real Application
Clusters) and security features of that platform. The user list can grow to the
millions without concern that the data store won’t be able to scale.

Single Sign On is a feature of another part of Oracle’s
technology stack, the Oracle Application Server 10g. Users signing on to Oracle
Portal are authenticated in one of several ways: password, X.509 PKI
certificate, or biometrics like a thumbprint scan. Once authenticated, the user’s
session receives a cookie that enables them to gain access to other sites
within the company without having to sign in to each site individually. AS-SSO
is already integrated into Oracle’s own applications, such as the eBusiness
Suite and Collaboration Suite.

All of these features may already be present in an
organization that uses the Oracle technology stack.

Identity and access features

Oracle Identity Management adds a Directory Integration and
Provisioning service (DIP) to the directory, turning it into a powerful meta-directory:
a single source of user identities in the system. The synchronization is
two-way: user identities entered or modified via the directory’s own
self-service web interface can be pushed out to other directories, but user
identities changed in those directories percolate back to OID.

This means that when a new employee is added to Oracle HR or
PeopleSoft, the directory knows about it, and other directories do too. This
protects the organization’s investment in these applications. Even when a user’s
Windows network login is changed, OID can synchronize with Active Directory to
pick up the information. This level of automation reduces administrator time in
two ways: fewer passwords to remember means fewer passwords to forget, and
therefore fewer password reset problems taking the help desk’s time. Also, when
a user is added or removed to one place, no additional administrator time is
needed to update the others.

Oracle COREid Access and Identity was integrated into Oracle
Identity Management with Oracle’s acquisition of Oblix. This mature product has
been in service since 1996, and has an existing customer base of some 200
companies, some of whom manage millions of user identities. Some of the
features that COREid Access and Identity added to the product are:

  • Dynamic group management – Instead of
    adding users to groups individually, which doesn’t scale well, COREid can
    dynamically add them based on user attributes. When a user changes roles within
    the organization, COREid automatically updates group memberships, with the
    effect that permissions are added and removed at the group level with minimal
    operator time.
  • User self-service registration, profile
    update, and password reset –     Users can add themselves to system services,
    which starts an approval process using a built-in workflow system. Requests are
    routed to decision-makers automatically, and upon approval, the user is granted
    access without direct system administrator time being required. For resetting passwords, the user can
    validate using a shared secret, and the system will reset the password, again
    without help desk assistance.
  • Delegated administration – Various parts
    of the organization can administer their own user base.
  • Centralized auditing and logging –Failed login attempts are tracked system-wide,
    and a series of pre-built reports can be run to monitor compliance.

Automated provisioning

Once user identities and their access permissions are
managed centrally, that control can then be extended to databases,
applications, and other identity stores via Oracle
COREid Provisioning. Another product acquired from Oblix, this feature uses
an extensible system of “connectors” to propagate access privileges
to specific applications. Using the COREid Provisioning Console, users and
groups can be managed centrally.

Connectors exist to provision Oracle’s own applications
(Oracle HR and the rest of the eBusiness Suite, Oracle Portal, Collaboration
Suite), directories such as Microsoft Active Directory, and generic LDAP and
flat file identity stores. This protects the organization’s investment in
current applications and infrastructure, operating within the heterogeneous
data centers most companies have.

The bottom line

Oracle has positioned its Identity Management solution to be
the security backbone of all services performed in the middle tier. As users authenticate to a portal via Single
Sign On, this authentication can move outward from the center toward applications
as well as databases. Having a single coordinated directory of user identities
and access privileges results in cost savings from reduced administration,
increased efficiencies in working with partners