Application-Centric Identity Management:Identity-enabled applications made easy

Application-Centric Identity Management: Identity-enabled applications made easy Nishant Kaushik Oracle Identity Management

Oracle Fusion Middleware

The Backdrop Usage Concerns Location Needs
Business application usage of identity-related data is increasing
Regulatory concerns require centralized controls
Identity theft, privacy concerns creating need for policies around access and use
Identity data is distributed in multiple sources
Multiple applications contribute to the overall identity data
Administrators asking for optimizations
Users asking for consistency, ease of use
Identity

How do Applications deal with Identity
Let’s look at the workings of a typical application during a user interaction
Users Business Applications Needs to know who is connecting May need biographical information (name, address) Often needs information on roles, entitlements, privileges Needs information on policies, relationships, rules May need email address Much, much more…

So, application developers end up building…
User tables
Role repository
Policy repository
Registration processes
Administration functionality
Profile management
Security & business policy enforcement
…
Users Business Applications

Meta-directories and authentication tools made a dent
Business Applications LDAP
But didn’t take us far enough…
Identity Store
SSO
Users

The Result: IdM Complexity …
Today, Identity Management is a classic “Systems Management” problem, tying together through integration the various IAM silos that exist within applications
. . .
Application IAM Functionality
User Tables
User ID & Password Stores
User Profiles & Preferences
Custom authentication schemes
Complex authorization needs
Profile & Password Management
Integration

… And IdM Headaches
Enterprises must deal with complex challenges in deploying IdM
Integration Costs Monitoring Complex Audit Frameworks Massive Design & Development Efforts Costly Infrastructure Needs Unsatisfactory Security & Compliance Synchronization Problems

Lets not forget
Technologies, standards are evolving and changing quite rapidly
New technologies and methodologies emerge everyday
Witness the birth of “user-centric identity”
The translation of regulations into requirements is still ongoing
Regulations will continue to become more onerous

So what do we need?
We need to change the way the game is played

A New Approach
An Identity Management Methodology that…
… understands the needs of the application developer
… understands the needs of the security architect
… understands the needs of the project manager
… understands the needs of the compliance manager
… understands the needs of the enterprise administrator
An Identity Infrastructure that provides…
… the IdM services necessary for a complete solution
… the tooling to build IdM into applications
… the interfaces to abstract applications from the details
Enter: Application-Centric Identity Management

Defining Application-Centric IdM
Evolve from Identity Management Systems to Identity Management Infrastructure built on Identity Services
Application Centric Identity Management Is:
Woven-In versus Bolted-On
Standards-based versus Proprietary
Integrated Suite versus Point Solutions
Brings identities into the application business process, making IdM an inherent feature of applications

Burton Group’s view of IdM Evolution circa 2005 Source: Enterprise Identity Management Market 2005: Battle of the Brands Mike Neuenschwander, Vice President and Research Director, Burton Group Products Suites Services Inherent How do we get there?

Oracle’s Application-Centric Approach
IdM evolved for the needs of the enterprise
Combination of methodology and technology
Focuses on the concept of “Identity as a Service”
IdM becomes an infrastructure service in addition to a system management function
Management of user identities will be woven into the applications themselves, making the service part of the application’s business process
Provides the necessary tooling to externalize IAM functionality from applications
Standards-based Interfaces
Application-centric features
Identity Services Framework

Oracle’s proposed Identity Services Framework is a framework that will enable enterprises to integrate identity services into their application development and application runtime environments
Applications written to the ISF can embed IAM functionality as part of their inherent business processes without having to code it themselves
Conforms to the SOA approach to enterprise development, promoting loose coupling to ensure long term viability and heterogeneity of business solutions

Identity Services Framework Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider Compliance I D E N T I T Y S E R V I C E S I N T ERFAC E S

Identity Services Framework Authentication
Multi-token authentication support via WS-Trust
Security Token exchange Service (STS)
Graded authentication support
Assurance levels
Strong authentication
Authentication w/ context
Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Identity Services Framework Federation
Multi-protocol federated support for IdP and SP
Seamless integration with WAM systems (SP side)
Support for browser-based and SOA-based federation
Federated provisioning

Identity Services Framework Authorization
Provide an externalized Fine-Grained Authorization service
Authorization services via XACML request/response
Access policy administration with support for import/export of XACML policies
Integrated with RBAC model and Role Provider

Identity Services Framework Identity Provider
Virtualize multiple identity data sources into single view
End-users
Business partners
Departmental Systems
Applications (HR, CRM)
Support both definitive (date of birth) and derived (over 21) identity data retrieval
Declarative model for consumption of attributes by applications
Declarative security model for authorities that provide attributes
Full support for delegated permission model

Identity Services Framework Role Provider
Enable RBAC adoption
Support Enterprise Roles as well as Application Roles
Support context sensitive, relationship based Role structures
Support session-based role determinations
Graded Authentication
Dynamic SoD

Identity Services Framework Administration
Allow applications to register as authoritative for identities, attributes
Support management of the identity information
Support role and relationship management
Provide necessary security and business controls: workflow, rules, audit, SoD

Identity Services Framework Provisioning
New concept: internal provisioning
Applications delegate their own account creation and management responsibilities to IdM service
Allows for better enforcement of policies: workflow, business rules, SoD, audit

Identity Services Framework Audit
Provide centralized identity related audit service
Support audit data retrieval by authorized applications

Cross-cutting concern
Provide centralized SoD policy enforcement engine
Detective controls
Preventive controls
Proactive Detection
Support comprehensive attestation, exception management and security controls
Compliance Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance

Abstraction layer that provides interface into the identity services
Includes APIs, protocols and policies
Integration with IDEs
Contains provider framework for adapters, plug-ins and connectors
Standards-based
Current (updated)
New (under development)
Declarative controls for data access, identity operations
SAML, XACML, WS-Trust, JAAS, SPML, DSML, LDAP,… Identity Services Authorization Provisioning Administration Audit Federation Identity Provider Authentication Others… E N T E R P R I S E I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Role Provider I D E N T I T Y S E R V I C E S I N T ERFAC E S Compliance I D E N T I T Y S E R V I C E S I N T ERFAC E S

Our Application Reinvented Users Business Applications
Lower costs and increased efficiencies
Eliminate costly connector development
Make identity (and security) an integral yet abstracted part of the application development process
Faster deployments
Improved security and compliance
Principle of “Least Knowledge”
Separation of duties between the application developer and the security policy administrator
Improved, consistent user experience
Better integration of IdM with HR processes
Greater business agility
Leverage a service-oriented IdM infrastructure
Loose-coupling and independence of Applications
APPLICATION-CENTRIC IDM BENEFITS

Don’t Take The Pre-Season Lightly Preparing your enterprise
Measure your IdM maturity
Deploy an IdM solution today to shore up gaps in application security and put the business controls in place
Don’t underestimate the time this will take
Choose an IdM vendor with a services focus
Create componentized security modules in custom developed applications
Try externalizing components like authorization, audit
Create abstraction wrappers to enable the switch tomorrow
Engage with us and help define the ISF protocols

<Insert Picture Here> “ IDC believes that a new phase of identity management is emerging, which weaves the management of user identities directly into the applications themselves so that the service is part of the applications' business processes. This application centric approach to IAM should save organizations significant dollars in integration costs, while increasing security and providing business agility.” Sally Hudson Research Manager, Security Products and Services, IDC

For More Information
S281637 – Managing Security in the world of SOA and Web 2.0
10/26, 11.00AM, 308 South
S281656 – The road to compliance: Presenting Oracle's Compliance Reference Model for achieving compliance through Identity Management
10/26, 11.00AM, 309 South
S281332 – Applying Open Standards to Identity Management Business Problems
10/26, 12.30PM, 309 South
S283222 – Introduction to Oracle Web Services Manager
10/26, 12.30PM, 307 South
ADDITIONAL SESSIONS
Visit our demos in Moscone South -- Middleware
Identity Audit & Compliance
Oracle Identity Manager
Oracle Virtual Directory
Oracle Identity Management Suite Manageability
Oracle Access Manager
Oracle Identity Federation
Visit our demos in Moscone West -- Security Pavilion
Identity Audit & Compliance
Oracle Enterprise Single Sign-On Suite
Oracle Extended Identity Management Ecosystem
Visit our product pages at:
www.OTN.oracle.com
www.Oracle.com
www.Oracle.com/Identity
PRODUCTS IN ACTION LEARN MORE

Continue the Dialogue http://www.talkingidentity.com

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

http://blog.talkingidentity.com	24
http://www.slideshare.net	9
http://tanweerahmad.blogspot.com	7
http://tanweerahmad.blogspot.in	6
http://www.linkedin.com	3
http://tanweerahmad.blogspot.de	1
http://tanweerahmad.blogspot.hk	1

Application-Centric Identity Management:Identity-enabled applications made easy

by Nishant Kaushik on Oct 01, 2009

Accessibility

Categories

Upload Details

Usage Rights

7 Embeds 51

Statistics