Whilst the majority of the IT press is focusing on the big announcements being made here at Oracle OpenWorld, such as in-memory storage and the extended collaboration between Oracle, EMC and Microsoft, I would like to focus a bit more on the Identity & Access Management news. There are several new innovations from Oracle which have not got the same attention as the keynotes, even though many of them are, in my opinion, game-changing and could have a significant impact on the business world. In this post I will cover them briefly, and in the following weeks I will be going into more details for some of them.

Database Security

One of the favourite victims of the auditors and rightly so. Databases may hold the key to your kingdom, and thus information that may make or break your company. We need to know who has access to it and what they can do with it. Today this is a very cumbersome task that often requires significant resources from a DBA team. Oracle 12c ships with a new system called "Real Application Security". This is a new system written from scratch which brings a new user, session and authorisation model. This new enhancement brings extremely fine grained DB control that allows management of:

  • what the user can see,
  • what the user can do, not just limited to standard DB operation but in a business context such as “users x can only see payroll information from his region”.
  • Context/aware authorisations - a user can see financial information when he is in the office but not from Starbucks
All of these new features can be managed centrally from OES and also be integrated right into the IAM platform, so that these authorisations can include roles, for instance. This allows for a completely new way of managing DB access.

IAM Platform

The observant reader may have noticed that I mentioned an IAM Platform earlier. Oracle is adopting a platform approach which is not limited for IAM, but also HCM, Cloud Services and more. However in the IAM area this means that the legacy offering of many different systems are being combined to a single, integrated platform with a common data model. In October 2012 Oracle announced Oracle’s Identity Governance Suite (OIG) as a first step towards such integration. The announcement now at OOW basically means that in the future (12-18 months) there will be only one IAM product. It will be a platform that combines all the functionalities that an enterprise may need – at least that’s the promise of Oracle. We have already seen in OIG 11gR2-P1 that OIM and OIA have merged.

In addition to this convergence of IAM systems, Oracle has increased their focus on mobile and social identity, with some extensions to their Access Management suite of products already available. This means that Cloud single sign-on will become a standard offering as well as exposing the capabilities of the whole IAM platform through a set of REST-based APIs. This is, in my opinion, a game-changer that allows for a completely new, tighter integration between mobile platforms and IAM, not to mention the ability to very easily integrate in-house developed solutions to the IAM Platform. Oracle has been focusing on “Identity Services” for a long time now with their “Service-oriented Security”, but with the recent announcement they are taking another big step forwards in the shift from IAM as a set of tools, towards IAM as platform-based, easy-to-consume services.

This service-based approach is also what might become the most important counter-argument to concerns regarding a platform being too complex and leading to lock-in. Based on services, organizations can consume specific capabilities and integrate with existing solutions they already have in place.

Another area that receives a lot of focus these days is the ability to support Open Authentication (OATH). Oracle not only supports this but also will support organizations in being an Identity Provider, which can become a major business-enabling feature for large or very specialised corporations. Also noticeable in this area is the support for OATH-based tokens, allowing organisations to use everything from standard hard tokens to software OTP for authentication.

In the area of access governance there is also a major development. Normally we are concerned with what users have access to, but this has always been based on access rights to applications, servers and platforms. In the roadmap for OIG we also now see Data Access Governance. This means that now, in addition to standard Access Governance, we will be able to attest and certify access to files, file-shares and SharePoint sites, based on the ability to tag the data that resides there. Adding Data Access Governance to the IAM portfolio and Access Governance in particular is not entirely new in the market, but it is a logical step forward for Oracle and fits to their platform strategy.

Furthermore the new platform allows for, depending on the availability of data from the platform in question, reporting on who has accessed which data when, and what they have done with it, e.g. downloaded, modified, etc. It also includes what commonly is called “User Activity Monitoring”. Beyond that, access policies for data can also be implemented in a context-aware way, so that a doctor may be able to access patient records when he is at the hospital, but not when he is at home. The same doctor may download a patient record to his desktop at the hospital but not to his iPad. In contrast to the various platforms limited to risk- and context-based authentication, Oracle is consequently extending the “risk and context paradigm” to fine-grained authorization.

Finally we are seeing new developments in the area of Privilege Management with increased integration to ticketing systems and management of application and system accounts. Unfortunately Oracle currently only supports SSH-based connections. However, there is a large focus on expanding this and within the next 12-18 months we will see most common platforms supported, such as Windows and hypervisors.

Conclusion

Oracle have always been one of the major players in the IAM area. However, their tools had been rather heavyweight and sometimes hard for clients to understand, integrate and work with. This was due to the vast array of products in the Oracle IAM portfolio, most of them through acquisition.

With OIG 11gR2 and the roadmap announcements beyond that release, Oracle is sending the message that IAM is about business. The innovation that is going into the IAM platform is remarkable, and I believe that we will see a decent attempt, from one of the very large players in the market, at providing a single unified platform that will cater for everything from automatic provisioning to cloud single sign-on build on a base of granular access governance. Together with the massive service orientation and the breadth of features, this appears to be unique and will increase pressure on the competition. It is my opinion that Oracle has ambitions of not only leading in the Americas Cup but also in the IAM field. Any organisation that is serious about IAM and understands the business enabling features of IAM should have a look at OIG and the Oracle IAM platform strategy. It may not fit for everyone – but it will change the IAM market.

[caption id="attachment_36" align="aligncenter" width="640"]The Oracle Plaza at OpenWorld The Oracle Plaza at OpenWorld[/caption]