Application-Centric Identity Management: Identity-enabled applications made easy Nishant Kaushik Oracle Identity Management

Oracle Fusion Middleware

The Backdrop Usage Concerns Location Needs Business application usage of identity-related data is increasing Regulatory concerns require centralized controls Identity theft, privacy concerns creating need for policies around access and use Identity data is distributed in multiple sources Multiple applications contribute to the overall identity data Administrators asking for optimizations Users asking for consistency, ease of use Identity

Business application usage of identity-related data is increasing

Regulatory concerns require centralized controls

Identity theft, privacy concerns creating need for policies around access and use

Identity data is distributed in multiple sources

Multiple applications contribute to the overall identity data

Administrators asking for optimizations

Users asking for consistency, ease of use

How do Applications deal with Identity Let’s look at the workings of a typical application during a user interaction Users Business Applications Needs to know who is connecting May need biographical information (name, address) Often needs information on roles, entitlements, privileges Needs information on policies, relationships, rules May need email address Much, much more…

Let’s look at the workings of a typical application during a user interaction

How do Applications deal with Identity So, application developers end up building… User tables Role repository Policy repository Registration processes Administration functionality Profile management Security & business policy enforcement … Users Business Applications

So, application developers end up building…

User tables

Role repository

Policy repository

Registration processes

Administration functionality

Profile management

Security & business policy enforcement

…

How do Applications deal with Identity Meta-directories and authentication tools made a dent Business Applications LDAP But didn’t take us far enough… Identity Store SSO Users

Meta-directories and authentication tools made a dent

But didn’t take us far enough…

Identity Store

SSO

The Result: IdM Complexity … Today, Identity Management is a classic “Systems Management” problem, tying together through integration the various IAM silos that exist within applications . . . Application IAM Functionality User Tables User ID & Password Stores User Profiles & Preferences Custom authentication schemes Complex authorization needs Profile & Password Management Integration

Today, Identity Management is a classic “Systems Management” problem, tying together through integration the various IAM silos that exist within applications

Application IAM Functionality

User Tables

User ID & Password Stores

User Profiles & Preferences

Custom authentication schemes

Complex authorization needs

Profile & Password Management

… And IdM Headaches Enterprises must deal with complex challenges in deploying IdM Integration Costs Monitoring Complex Audit Frameworks Massive Design & Development Efforts Costly Infrastructure Needs Unsatisfactory Security & Compliance Synchronization Problems

Enterprises must deal with complex challenges in deploying IdM

Lets not forget Technologies, standards are evolving and changing quite rapidly New technologies and methodologies emerge everyday Witness the birth of “user-centric identity” The translation of regulations into requirements is still ongoing Regulations will continue to become more onerous

Technologies, standards are evolving and changing quite rapidly

New technologies and methodologies emerge everyday

Witness the birth of “user-centric identity”

The translation of regulations into requirements is still ongoing

Regulations will continue to become more onerous

So what do we need? We need to change the way the game is played

We need to change the way the game is played

A New Approach An Identity Management Methodology that… … understands the needs of the application developer … understands the needs of the security architect … understands the needs of the project manager … understands the needs of the compliance manager … understands the needs of the enterprise administrator An Identity Infrastructure that provides… … the IdM services necessary for a complete solution … the tooling to build IdM into applications … the interfaces to abstract applications from the details Enter: Application-Centric Identity Management

An Identity Management Methodology that…

… understands the needs of the application developer

… understands the needs of the security architect

… understands the needs of the project manager

… understands the needs of the compliance manager

… understands the needs of the enterprise administrator

An Identity Infrastructure that provides…

… the IdM services necessary for a complete solution

… the tooling to build IdM into applications

… the interfaces to abstract applications from the details

Defining Application-Centric IdM Evolve from Identity Management Systems to Identity Management Infrastructure built on Identity Services Application Centric Identity Management Is: Woven-In versus Bolted-On Standards-based versus Proprietary Integrated Suite versus Point Solutions Brings identities into the application business process, making IdM an inherent feature of applications

Evolve from Identity Management Systems to Identity Management Infrastructure built on Identity Services

Application Centric Identity Management Is:

Woven-In versus Bolted-On

Standards-based versus Proprietary

Integrated Suite versus Point Solutions

Brings identities into the application business process, making IdM an inherent feature of applications

Burton Group’s view of IdM Evolution circa 2005 Source: Enterprise Identity Management Market 2005: Battle of the Brands Mike Neuenschwander, Vice President and Research Director, Burton Group Products Suites Services Inherent How do we get there?

Oracle’s Application-Centric Approach IdM evolved for the needs of the enterprise Combination of methodology and technology Focuses on the concept of “Identity as a Service” IdM becomes an infrastructure service in addition to a system management function Management of user identities will be woven into the applications themselves, making the service part of the application’s business process Provides the necessary tooling to externalize IAM functionality from applications Standards-based Interfaces Application-centric features Identity Services Framework

IdM evolved for the needs of the enterprise

Combination of methodology and technology

Focuses on the concept of “Identity as a Service”

IdM becomes an infrastructure service in addition to a system management function

Management of user identities will be woven into the applications themselves, making the service part of the application’s business process

Provides the necessary tooling to externalize IAM functionality from applications

Standards-based Interfaces

Application-centric features

Identity Services Framework

Identity Services Framework Oracle’s proposed Identity Services Framework is a framework that will enable enterprises to integrate identity services into their application development and application runtime environments Applications written to the ISF can embed IAM functionality as part of their inherent business processes without having to code it themselves Conforms to the SOA approach to enterprise development, promoting loose coupling to ensure long term viability and heterogeneity of business solutions

Oracle’s proposed Identity Services Framework is a framework that will enable enterprises to integrate identity services into their application development and application runtime environments

Applications written to the ISF can embed IAM functionality as part of their inherent business processes without having to code it themselves

Conforms to the SOA approach to enterprise development, promoting loose coupling to ensure long term viability and heterogeneity of business solutions

Identity Services Framework Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider Compliance I D E N T I T Y S E R V I C E S I N T ERFAC E S

Identity Services Framework Authentication Multi-token authentication support via WS-Trust Security Token exchange Service (STS) Graded authentication support Assurance levels Strong authentication Authentication w/ context Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Multi-token authentication support via WS-Trust

Security Token exchange Service (STS)

Graded authentication support

Assurance levels

Strong authentication

Authentication w/ context

Identity Services Framework Federation Multi-protocol federated support for IdP and SP Seamless integration with WAM systems (SP side) Support for browser-based and SOA-based federation Federated provisioning Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Multi-protocol federated support for IdP and SP

Seamless integration with WAM systems (SP side)

Support for browser-based and SOA-based federation

Federated provisioning

Identity Services Framework Authorization Provide an externalized Fine-Grained Authorization service Authorization services via XACML request/response Access policy administration with support for import/export of XACML policies Integrated with RBAC model and Role Provider Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Provide an externalized Fine-Grained Authorization service

Authorization services via XACML request/response

Access policy administration with support for import/export of XACML policies

Integrated with RBAC model and Role Provider

Identity Services Framework Identity Provider Virtualize multiple identity data sources into single view End-users Business partners Departmental Systems Applications (HR, CRM) Support both definitive (date of birth) and derived (over 21) identity data retrieval Declarative model for consumption of attributes by applications Declarative security model for authorities that provide attributes Full support for delegated permission model Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Virtualize multiple identity data sources into single view

End-users

Business partners

Departmental Systems

Applications (HR, CRM)

Support both definitive (date of birth) and derived (over 21) identity data retrieval

Declarative model for consumption of attributes by applications

Declarative security model for authorities that provide attributes

Full support for delegated permission model

Identity Services Framework Role Provider Enable RBAC adoption Support Enterprise Roles as well as Application Roles Support context sensitive, relationship based Role structures Support session-based role determinations Graded Authentication Dynamic SoD Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Enable RBAC adoption

Support Enterprise Roles as well as Application Roles

Support context sensitive, relationship based Role structures

Support session-based role determinations

Graded Authentication

Dynamic SoD

Identity Services Framework Administration Allow applications to register as authoritative for identities, attributes Support management of the identity information Support role and relationship management Provide necessary security and business controls: workflow, rules, audit, SoD Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Allow applications to register as authoritative for identities, attributes

Support management of the identity information

Support role and relationship management

Provide necessary security and business controls: workflow, rules, audit, SoD

Identity Services Framework Provisioning New concept: internal provisioning Applications delegate their own account creation and management responsibilities to IdM service Allows for better enforcement of policies: workflow, business rules, SoD, audit Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

New concept: internal provisioning

Applications delegate their own account creation and management responsibilities to IdM service

Allows for better enforcement of policies: workflow, business rules, SoD, audit

Identity Services Framework Audit Provide centralized identity related audit service Support audit data retrieval by authorized applications Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Provide centralized identity related audit service

Support audit data retrieval by authorized applications

Identity Services Framework Cross-cutting concern Provide centralized SoD policy enforcement engine Detective controls Preventive controls Proactive Detection Support comprehensive attestation, exception management and security controls Compliance Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Cross-cutting concern

Provide centralized SoD policy enforcement engine

Detective controls

Preventive controls

Proactive Detection

Support comprehensive attestation, exception management and security controls

Identity Services Framework Abstraction layer that provides interface into the identity services Includes APIs, protocols and policies Integration with IDEs Contains provider framework for adapters, plug-ins and connectors Standards-based Current (updated) New (under development) Declarative controls for data access, identity operations SAML, XACML, WS-Trust, JAAS, SPML, DSML, LDAP,… Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance I D E N T I T Y S E R V I C E S I N T ERFAC E S

Abstraction layer that provides interface into the identity services

Includes APIs, protocols and policies

Integration with IDEs

Contains provider framework for adapters, plug-ins and connectors

Standards-based

Current (updated)

New (under development)

Declarative controls for data access, identity operations

Our Application Reinvented Users Business Applications Lower costs and increased efficiencies Eliminate costly connector development Make identity (and security) an integral yet abstracted part of the application development process Faster deployments Improved security and compliance Principle of “Least Knowledge” Separation of duties between the application developer and the security policy administrator Improved, consistent user experience Better integration of IdM with HR processes Greater business agility Leverage a service-oriented IdM infrastructure Loose-coupling and independence of Applications APPLICATION-CENTRIC IDM BENEFITS

Lower costs and increased efficiencies

Eliminate costly connector development

Make identity (and security) an integral yet abstracted part of the application development process

Faster deployments

Improved security and compliance

Principle of “Least Knowledge”

Separation of duties between the application developer and the security policy administrator

Improved, consistent user experience

Better integration of IdM with HR processes

Greater business agility

Leverage a service-oriented IdM infrastructure

Loose-coupling and independence of Applications

Don’t Take The Pre-Season Lightly Preparing your enterprise Measure your IdM maturity Deploy an IdM solution today to shore up gaps in application security and put the business controls in place Don’t underestimate the time this will take Choose an IdM vendor with a services focus Create componentized security modules in custom developed applications Try externalizing components like authorization, audit Create abstraction wrappers to enable the switch tomorrow Engage with us and help define the ISF protocols

Measure your IdM maturity

Deploy an IdM solution today to shore up gaps in application security and put the business controls in place

Don’t underestimate the time this will take

Choose an IdM vendor with a services focus

Create componentized security modules in custom developed applications

Try externalizing components like authorization, audit

Create abstraction wrappers to enable the switch tomorrow

Engage with us and help define the ISF protocols

<Insert Picture Here> “ IDC believes that a new phase of identity management is emerging, which weaves the management of user identities directly into the applications themselves so that the service is part of the applications' business processes. This application centric approach to IAM should save organizations significant dollars in integration costs, while increasing security and providing business agility.” Sally Hudson Research Manager, Security Products and Services, IDC

For More Information S281637 – Managing Security in the world of SOA and Web 2.0 10/26, 11.00AM, 308 South S281656 – The road to compliance: Presenting Oracle's Compliance Reference Model for achieving compliance through Identity Management 10/26, 11.00AM, 309 South S281332 – Applying Open Standards to Identity Management Business Problems 10/26, 12.30PM, 309 South S283222 – Introduction to Oracle Web Services Manager 10/26, 12.30PM, 307 South ADDITIONAL SESSIONS Visit our demos in Moscone South -- Middleware Identity Audit & Compliance Oracle Identity Manager Oracle Virtual Directory Oracle Identity Management Suite Manageability Oracle Access Manager Oracle Identity Federation Visit our demos in Moscone West -- Security Pavilion Identity Audit & Compliance Oracle Enterprise Single Sign-On Suite Oracle Extended Identity Management Ecosystem Visit our product pages at: www.OTN.oracle.com www.Oracle.com www.Oracle.com/Identity PRODUCTS IN ACTION LEARN MORE

S281637 – Managing Security in the world of SOA and Web 2.0

10/26, 11.00AM, 308 South

S281656 – The road to compliance: Presenting Oracle's Compliance Reference Model for achieving compliance through Identity Management

10/26, 11.00AM, 309 South

S281332 – Applying Open Standards to Identity Management Business Problems

10/26, 12.30PM, 309 South

S283222 – Introduction to Oracle Web Services Manager

10/26, 12.30PM, 307 South

Visit our demos in Moscone South -- Middleware

Identity Audit & Compliance

Oracle Identity Manager

Oracle Virtual Directory

Oracle Identity Management Suite Manageability

Oracle Access Manager

Oracle Identity Federation

Visit our demos in Moscone West -- Security Pavilion

Identity Audit & Compliance

Oracle Enterprise Single Sign-On Suite

Oracle Extended Identity Management Ecosystem

Visit our product pages at:

www.OTN.oracle.com

www.Oracle.com

www.Oracle.com/Identity

Continue the Dialogue http://www.talkingidentity.com

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.