• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Application-Centric Identity Management:Identity-enabled applications made easy
 

Application-Centric Identity Management: Identity-enabled applications made easy

on

  • 3,097 views

[My Oracle OpenWorld 2006 Presentation]

[My Oracle OpenWorld 2006 Presentation]
My first presentation on the concept of identity services, and how it allows the creation of identity-enabled applications

Statistics

Views

Total Views
3,097
Views on SlideShare
3,045
Embed Views
52

Actions

Likes
4
Downloads
0
Comments
0

7 Embeds 52

http://blog.talkingidentity.com 24
http://www.slideshare.net 9
http://tanweerahmad.blogspot.com 8
http://tanweerahmad.blogspot.in 6
http://www.linkedin.com 3
http://tanweerahmad.blogspot.de 1
http://tanweerahmad.blogspot.hk 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Increasing legal and regulatory concern about access to identity-related data about users Privacy concerns: HIPAA, SB 1386, theft of user data Compliance: SOX, GLB, EU legislation Who has access to my social security number or account number, and, under what conditions? Effective business applications require flexible access to data about users Value of data held by enterprise lies in its use! User data may be shared across corporate or departmental boundaries CHALLENGE: Need a enterprise-wide framework for managing access to identity-related data provided by multiple sources

Application-Centric Identity Management:Identity-enabled applications made easy Application-Centric Identity Management: Identity-enabled applications made easy Presentation Transcript

  • Application-Centric Identity Management: Identity-enabled applications made easy Nishant Kaushik Oracle Identity Management
  • Oracle Fusion Middleware
  • The Backdrop Usage Concerns Location Needs
    • Business application usage of identity-related data is increasing
    • Regulatory concerns require centralized controls
    • Identity theft, privacy concerns creating need for policies around access and use
    • Identity data is distributed in multiple sources
    • Multiple applications contribute to the overall identity data
    • Administrators asking for optimizations
    • Users asking for consistency, ease of use
    Identity
  • How do Applications deal with Identity
    • Let’s look at the workings of a typical application during a user interaction
    Users Business Applications Needs to know who is connecting May need biographical information (name, address) Often needs information on roles, entitlements, privileges Needs information on policies, relationships, rules May need email address Much, much more…
  • How do Applications deal with Identity
    • So, application developers end up building…
    • User tables
    • Role repository
    • Policy repository
    • Registration processes
    • Administration functionality
    • Profile management
    • Security & business policy enforcement
    Users Business Applications
  • How do Applications deal with Identity
    • Meta-directories and authentication tools made a dent
    Business Applications LDAP
    • But didn’t take us far enough…
    • Identity Store
    • SSO
    Users
  • The Result: IdM Complexity …
    • Today, Identity Management is a classic “Systems Management” problem, tying together through integration the various IAM silos that exist within applications
    . . .
    • Application IAM Functionality
    • User Tables
    • User ID & Password Stores
    • User Profiles & Preferences
    • Custom authentication schemes
    • Complex authorization needs
    • Profile & Password Management
    Integration
  • … And IdM Headaches
    • Enterprises must deal with complex challenges in deploying IdM
    Integration Costs Monitoring Complex Audit Frameworks Massive Design & Development Efforts Costly Infrastructure Needs Unsatisfactory Security & Compliance Synchronization Problems
  • Lets not forget
    • Technologies, standards are evolving and changing quite rapidly
    • New technologies and methodologies emerge everyday
      • Witness the birth of “user-centric identity”
    • The translation of regulations into requirements is still ongoing
    • Regulations will continue to become more onerous
  • So what do we need?
    • We need to change the way the game is played
  • A New Approach
    • An Identity Management Methodology that…
      • … understands the needs of the application developer
      • … understands the needs of the security architect
      • … understands the needs of the project manager
      • … understands the needs of the compliance manager
      • … understands the needs of the enterprise administrator
    • An Identity Infrastructure that provides…
      • … the IdM services necessary for a complete solution
      • … the tooling to build IdM into applications
      • … the interfaces to abstract applications from the details
    Enter: Application-Centric Identity Management
  • Defining Application-Centric IdM
    • Evolve from Identity Management Systems to Identity Management Infrastructure built on Identity Services
    • Application Centric Identity Management Is:
      • Woven-In versus Bolted-On
      • Standards-based versus Proprietary
      • Integrated Suite versus Point Solutions
    • Brings identities into the application business process, making IdM an inherent feature of applications
  • Burton Group’s view of IdM Evolution circa 2005 Source: Enterprise Identity Management Market 2005: Battle of the Brands Mike Neuenschwander, Vice President and Research Director, Burton Group Products Suites Services Inherent How do we get there?
  • Oracle’s Application-Centric Approach
    • IdM evolved for the needs of the enterprise
    • Combination of methodology and technology
    • Focuses on the concept of “Identity as a Service”
      • IdM becomes an infrastructure service in addition to a system management function
      • Management of user identities will be woven into the applications themselves, making the service part of the application’s business process
    • Provides the necessary tooling to externalize IAM functionality from applications
      • Standards-based Interfaces
      • Application-centric features
      • Identity Services Framework
  • Identity Services Framework
    • Oracle’s proposed Identity Services Framework is a framework that will enable enterprises to integrate identity services into their application development and application runtime environments
    • Applications written to the ISF can embed IAM functionality as part of their inherent business processes without having to code it themselves
    • Conforms to the SOA approach to enterprise development, promoting loose coupling to ensure long term viability and heterogeneity of business solutions
  • Identity Services Framework Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider Compliance I D E N T I T Y S E R V I C E S I N T ERFAC E S
  • Identity Services Framework Authentication
    • Multi-token authentication support via WS-Trust
    • Security Token exchange Service (STS)
    • Graded authentication support
      • Assurance levels
      • Strong authentication
      • Authentication w/ context
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework Federation
    • Multi-protocol federated support for IdP and SP
    • Seamless integration with WAM systems (SP side)
    • Support for browser-based and SOA-based federation
    • Federated provisioning
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework Authorization
    • Provide an externalized Fine-Grained Authorization service
    • Authorization services via XACML request/response
    • Access policy administration with support for import/export of XACML policies
    • Integrated with RBAC model and Role Provider
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework Identity Provider
    • Virtualize multiple identity data sources into single view
      • End-users
      • Business partners
      • Departmental Systems
      • Applications (HR, CRM)
    • Support both definitive (date of birth) and derived (over 21) identity data retrieval
    • Declarative model for consumption of attributes by applications
    • Declarative security model for authorities that provide attributes
    • Full support for delegated permission model
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework Role Provider
    • Enable RBAC adoption
    • Support Enterprise Roles as well as Application Roles
    • Support context sensitive, relationship based Role structures
    • Support session-based role determinations
      • Graded Authentication
      • Dynamic SoD
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework Administration
    • Allow applications to register as authoritative for identities, attributes
    • Support management of the identity information
    • Support role and relationship management
    • Provide necessary security and business controls: workflow, rules, audit, SoD
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework Provisioning
    • New concept: internal provisioning
    • Applications delegate their own account creation and management responsibilities to IdM service
    • Allows for better enforcement of policies: workflow, business rules, SoD, audit
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework Audit
    • Provide centralized identity related audit service
    • Support audit data retrieval by authorized applications
    Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework
    • Cross-cutting concern
    • Provide centralized SoD policy enforcement engine
      • Detective controls
      • Preventive controls
      • Proactive Detection
    • Support comprehensive attestation, exception management and security controls
    Compliance Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance
  • Identity Services Framework
    • Abstraction layer that provides interface into the identity services
      • Includes APIs, protocols and policies
    • Integration with IDEs
    • Contains provider framework for adapters, plug-ins and connectors
    • Standards-based
      • Current (updated)
      • New (under development)
        • Declarative controls for data access, identity operations
    SAML, XACML, WS-Trust, JAAS, SPML, DSML, LDAP,… Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance I D E N T I T Y S E R V I C E S I N T ERFAC E S
  • Our Application Reinvented Users Business Applications
    • Lower costs and increased efficiencies
      • Eliminate costly connector development
      • Make identity (and security) an integral yet abstracted part of the application development process
      • Faster deployments
    • Improved security and compliance
      • Principle of “Least Knowledge”
      • Separation of duties between the application developer and the security policy administrator
    • Improved, consistent user experience
    • Better integration of IdM with HR processes
    • Greater business agility
      • Leverage a service-oriented IdM infrastructure
      • Loose-coupling and independence of Applications
    APPLICATION-CENTRIC IDM BENEFITS
  • Don’t Take The Pre-Season Lightly Preparing your enterprise
    • Measure your IdM maturity
    • Deploy an IdM solution today to shore up gaps in application security and put the business controls in place
      • Don’t underestimate the time this will take
    • Choose an IdM vendor with a services focus
    • Create componentized security modules in custom developed applications
      • Try externalizing components like authorization, audit
      • Create abstraction wrappers to enable the switch tomorrow
    • Engage with us and help define the ISF protocols
  • <Insert Picture Here> “ IDC believes that a new phase of identity management is emerging, which weaves the management of user identities directly into the applications themselves so that the service is part of the applications' business processes. This application centric approach to IAM should save organizations significant dollars in integration costs, while increasing security and providing business agility.” Sally Hudson Research Manager, Security Products and Services, IDC
  • For More Information
    • S281637 – Managing Security in the world of SOA and Web 2.0
      • 10/26, 11.00AM, 308 South
    • S281656 – The road to compliance: Presenting Oracle's Compliance Reference Model for achieving compliance through Identity Management
      • 10/26, 11.00AM, 309 South
    • S281332 – Applying Open Standards to Identity Management Business Problems
      • 10/26, 12.30PM, 309 South
    • S283222 – Introduction to Oracle Web Services Manager
      • 10/26, 12.30PM, 307 South
    ADDITIONAL SESSIONS
    • Visit our demos in Moscone South -- Middleware
      • Identity Audit & Compliance
      • Oracle Identity Manager
      • Oracle Virtual Directory
      • Oracle Identity Management Suite Manageability
      • Oracle Access Manager
      • Oracle Identity Federation
    • Visit our demos in Moscone West -- Security Pavilion
      • Identity Audit & Compliance
      • Oracle Enterprise Single Sign-On Suite
      • Oracle Extended Identity Management Ecosystem
    • Visit our product pages at:
      • www.OTN.oracle.com
      • www.Oracle.com
      • www.Oracle.com/Identity
    PRODUCTS IN ACTION LEARN MORE
  • Continue the Dialogue http://www.talkingidentity.com
  •  
  • The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  •