The Story of 'O' products

Its come to my attention lately there's a LOT of confusion about what the litany of 'O' products ('O' being Oracle). Given Oracle's choice to name everything after itself you end up with a myriad of 'O' products in three and four letter acronyms. Coming from a background of Microsoft products where almost every year the product was renamed to something entirely different for no rhyme or reason (see MIIS to ILM to FIM), I am OK with Oracle renaming everything it buys to "Oracle" something. Still there's a lot of confusion about the products and what they do. Given the recent acquisition of Sun products and there subsequent renaming there's lots of speculation that the products overlap or worse, compete. Some examples, OAAM or Oracle Adaptive Access Manager, OAM or Oracle Access Manager, given the names one might think the products are competitors. Naturally in today's business environment where every penny counts as businesses guard their cash reserves you wouldn't want to put anything into production with an overlapping or competitive function. As such, I've been repeatedly asked about things like OIM, OID, OIA, and OAAM and whether they are serving the same function. This post is my attempt to provide some insight as to how those products interact, what purpose they serve, and our roadmap for implementing them.

A good visual is invaluable to show the relationship between the parts of the Oracle Identity Suite. Here's the interaction as presented by Oracle for their products and respective niches they fill:

We're currently implementing the foundation for good Access & Identity Management which is good role based access and role governance. This is served by Oracle Identity Analytics or OIA. OIA will allow us to move away from the very manual of process of managing roles today by spreadsheet and SQL Scripts. It will also allow us several key improvements; separating our AIM systems from any and all legacy databases, moving away from the tight coupling of roles (access) to job codes and cost codes, and finally associating access with job functions and responsibilities in the form of enterprise roles. Having a solid grasp on roles is fundamental to our efforts and will provide a multitude of benefits to us, our customers, and the business.

We're also implementing Oracle Internet Directory or OID which will allow us to govern access to Oracle databases. Oracle Internet Directory (OID) is an implementation of LDAP (lightweight directory access protocol) and allows end users to access Oracle databases with their network credentials. This allows us to tie back access to Active Directory as our single point of control for all access in the enterprise. OID will also allow us to manage authorizations in Oracle databases via membership in LDAP (OID) groups, groups governed and approved by the database owners. So Business Intelligence database access will have to be approved by the Business Intelligence team, CRM database access will be controlled by CRM team, etc. All of this access will be requested, approved, and authorized through a single site, the Computer Access Process or CAP.

The CAP itself will get a facelift this year and we're going to improve and extend our provisioning process (see Identity Administration) as we implement Oracle Identity Manager or OIM. OIM will allow us to move away from our Microsoft based workflow engine, which has served our purposes admirably but not without its challenges, and allow us to begin to use OIM's connectors for expanded provisioning to the eBusiness applications. OIM also promises tighter integration with the Oracle owned applications like PeopleSoft and the rest of our Oracle Identity Suite products like Oracle Adaptive Access Manager (OAAM) and Oracle Identity Federation (OIF), two technologies we're going to implement in the next 4-6 months as well. More on Oracle Adaptive Access Manager and Oracle Identity Federation in a future post.

So to RECAP:

OIA: Oracle Identity Analytics - role management, a foundational piece (database) for role based access and role governance.

OID: Oracle Internet Directory - a directory implementing LDAP which will allow us to authenticate Oracle database users via Active Directory and authorize them based on membership in groups (roles) governed in the near future by OIA (no dependency).

OIM: Oracle Identity Manager - a workflow and provisioning engine for extending and enhancing the administration of identities.

OIF: Oracle Identity Federation - a means for federation of our identities with partner organizations. Federation via standards, plain and simple.

OAAM: Oracle Adaptive Access Manager - strong authentication and knowledge based authorizations for websites. Coupled with its capabilities for real time fraud detection and prevention this tool will serve a variety of purposes.

My Review of Roku HD Player

Originally submitted at Roku

The best-selling HD Player (as known as Netflix Player by Roku) plays High Definition video and connects to surround sound audio.

Roku HD Player

Best purchase I've made in the last year

By agilekalaf from Goodyear, AZ on 9/7/2010

 

5out of 5

Pros: Easy to use, Great value, Video selection, Compact, Reliability, Built in Wi-Fi, Easy to set up, High quality picture

Cons: Need fast internet service

Best Uses: Internet Radio, Primary TV

Describe Yourself: Technophile

Given I am very internet savvy so I knew full well how to take advantage of this device from the start, but this is the future of TV. They are building the features of the Roku into TV's (Vizio, others) and selling them for a huge markup now. I wouldnt buy one, I'd buy this instead. Why? Its configurable. You can get Pandora, FlickR, SmugMug, and TEDTalks with this device. All for around $100 makes this the smart move.

(legalese)

Trying out MarsEdit2

So I'm now a VERY happy Mac user. Its like the most stable, non free, linux laptop I've ever used. But, I've yet to find anything that rivals Windows Live Writer for blogging to a variety of platforms. While it isn't free, MarsEdit2 holds great promise. So for the next 30 days my posts will be coming to you courtesy of MarsEdit 2.

My Review of Pragmatic Thinking and Learning

Originally submitted at O'Reilly

All day long, you're thinking. There's always something new you need to learn. But do you know the best ways to think, or learn? We all know how to work with software and hardware, but what about wetware-our own brains?

In this new book by Pragmatic Programmer Andy Hunt, you'll se...

Pragmatic Thinking and Learning

Head First Thinking and Learning!

By Agile Kalaf from Phoenix, AZ on 10/28/2009

 

5out of 5

Pros: Well-written, Easy to understand, Helpful examples, Concise

Best Uses: Expert, Student, Novice, Intermediate

Describe Yourself: Developer

Whats great about the Head First books? They truly understand how we humans think and learn. Read the intro to any HF book and they will tell you their approach is based on an understanding of how people learn best. THIS book shows you how they arrived at that conclusion and how you can train your mind to be a better learner. Are you interested in mastering the job you have or training for the job you want? This book will help you lay the foundation for that no matter what area you are looking to master. One of the best books I've read in years!

(legalese)

Some lucky devil is going to Catalyst 2009. Should be the bomb for Identity Management! Next year I'll try and make it to Prague!

Gartner last presentation

I love the MQ on conference schwag. Sorry I missed the laser pointer (I think) but I did end up with two pair of magnetic Ben-Wa balls from Deloitte. Dude, did you just say Ben Wa? ummm...yes...look it up. Seriously, a dubious gift to be sure. I feel like Captain Quig when I play with them. Then there's the every present risk of HIGHLY magnetic items in the laptop case...thats gotta be dangerous. Finally, I was sure seeing those things in my bag would prompt some sort of impromptu cavity search but gratefully it was not to be.

Notes from the conference: Shannon Wilson is the coolest boss on the planet. Really, so many ways to describe it but the best reference isnt my word, its how many people at work are now approaching him wanting to be a part of his team. A good boss is like gold.

When you attend a Gartner conference and you're in the last session....ask a friggin question. I failed to notice the 4 iPod Nano's upfront...one for each questioner. Well how could you know you ask? Ummm...cuz they did the exact same thing last time (2 yrs ago). Oh well. I didnt win a damn thing.

Overall the conference was one of the best I've been to...relevant info, GREAT Wifi (consistently and EVERYWHERE) and very very good food (from the vendors).

One more thing, IT conference are great because of the diversity. I see Indians, Asians, Europeans, Canadians, South Americans, Caribbeans. I love the voices and the perspectives.

Making the case for IAM

Key issue 1 - Obtain and maintain support
1. Understand the context
a. What the business really want?
b. Listen, dont pontificate
2. Plan and execute
a. Establish the mechanics
3. Maintain
a. Close the loop

"The foundation of effective support is credibility"

Understand the business strategy
Faster, better, less expensive
Map IAM strategy back to the business strategy
Understand the business environment
Drivers, Economics, Comptetition
Understand the business risk and risk affinity

Establish effective governance
IAM Steering committee
Role of Security vs Information/process owners, people owners
Establish channels of communication
Identity key stakeholders
Meetings, presentations, documentation
Build relationships
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging, and execution

Key issue 2 - Communicating the business value of the program

Articulate the business model
The 4i Model
Capture the business drivers
Security efficiency
Security effectiveness
Business agility and Performance
Map drivers to Values and Actions
Business value - Expected Benefits
Relevant Business Drivers - Why
Implications/Requirements - What

Executive Communication Plan
Vision, action plan, Project list, Resources requirements, Reasons (business drivers), Expected business values

Tailor to audience preference
Temper content to reflect cultural and personality realitiess

Key issue 3: IAM Projects - Cost Benefit Analysis or ROI?

Developing a balanced approach to investment justification
Reporting the results

Recommendations
Establish the foundations
Listen to the business, understand context
Implement governance structures and communications channels
Establish feedback loop
Communicate value of program
articulate benefits in business terms
Map business drivers to actions and expected values
Justify project investment in business terms
Use balanced CBA
Report back

Privileged Access Presentation by Ant Allan

Ant is one of the best Gartner guys. Very thorough and very knowledgeable. So here's the news

50% growth in this space in the last 12 mos. This market is BOOMING right now. We've got lots of choices. That said, here's the choices we need to consider

SUPM: Super User Password Management - The SUDO model. This is the concept of a support person or power user who needs access to elevated privileges in a given network device, database, server, etc.

SAPM: Shared Account Password Management - SA, DBA, Administrator, these accounts are shared between systems administrators. The passwords to these ultra powerful, system installed accounts are often kept in Excel spreadsheet and much worse and shared among DBA's, Sys Admins, Network Admins. The passwords need to centrally managed and checked in and checked out.

SIEM: Security Information and Event Management - We need to log what people do with elevated and shared account privileges. Likewise, we can set up patterns and scan for suspicious activity.

SAPM: Software Account Password Management - Lots of applications have Service Level accounts with elevated privs. We need a way to manage passwords so that they can get their passwords, we can track applications using these passwords, and limit/change passwords to key systems and service accounts. This space is also called Application to Application (A2A) or Application to Database (A2B).

Discoverability: The ability to poll a network and inventory ALL network devices, databases, and servers. This ability is nascent in this space. Its a product differentiator. Its also assumed that AT A MINIMUM, you know what your inventory looks like in silo (Windows Admins know how many Windows servers there are, etc)

Pricing is all over the place. Per instance, per CPU, per entitlement, per user. CA has the best suite based product. IBM has a suite based product. The other 3 big vendors dont have this and partner with various vendors.

This space is exploding because auditors are forcing this as a compliance issue. Only 1200 companies world wide have anything in place. We're not alone in NOT doing this and pushing to get it done this year. However, we are unique in that we dont have a handle on what our resource (server, database, network device) inventory is...this is a major failing for us.

IAM Implementation, worst mistakes, best practices

Big Mistakes
Not understanding the MQ. The leader quadrant is NOT for everyone.

No listening to vendor/integrator advice – you may think you know more or that your business model is truly unique BUT, they know their product and how it achieve your goals

Changing the scope on a whim – Dont allow yourself to get shortsighted , plan, design and build for the long term, remember IAM is infrastructure

Big Success

Establish effective governance
Steering committee
Role of the CISO/CSO vs process and people owners

Establish channels of communication
Identify key stakeholders
Meetings, presentations, documentation
Build relationships (dont use acronyms)

Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging and execution

Decision Framework

Phase 1 – Identify
Phase 2 – Prioritize
Phase 3 – Organize

Prioritize – Drivers and Deliverables
Drivers – impact, cost, urgency
Deliverables – std deliverables

IAM Drivers
Security Efficiency
Security Effectiveness
Business enablement

the 4I model
Integrity, Investment, Indemnity, Insurance

What if your down, what to do to turn it around?
IAM Governance is key
PLAN AND COMMUNICATION

IAM as a Managed Service and IdMaaS

its an embryonic “pre-chasm” market with licensing and config challenges ahead

IdMaaS will rise and fall with SaaS and SOA centric approachs

First gen IdMaaS will be hybrid service and app architecture

IdMaaS requires shared reuseable services, initial frameworks available but vendor products are nascent

Professional IAM “as a Service” Types 1 & 2 & 3

1.Professional IAM Services
1.They help you BUILD out your IAM offering
2.Managed IAM Services
1.They build it, you manage it and consume it at their site
3.On-demand “IAM as a Service”
1.Hosted Services you consume as a part of your IAM Solution
4.Service-Architected IAM
1.Fischer International
2.Early editions of current IAM products, ERP adminstrationn
3.SOA based design
4.simple pricing

Fischers International is a company who will provide you IAM as a Service

Recommendations

Near
Establish a common vocabulary for talking about this
Audit current IAM infrastructure so you know the cost to operate it

Intermediate
evaluate the options periodically
Consult with services procurement to see legal and policy issues

Long term
Implement IdMaaS type appropriate to your organization

Service oriented identity

Early identity:

SSO, on boarding, provisioning to various applications

Today: Strong Authentication, Federation, encrypted laptops

What we need?
Externalized authorizations policies
Abstraction of deployment details from the application
integration of security with IDE's
Roles, context, trust
Hot pluggable functions....cross platform

All of these mean Service Oriented Security

Authentication Service
Oracle Access Manager (Web SSO) for Java and .NET
Oracle Adaptive Access Manager (Risk based access manager)
compares current behavior to behavioral baseline to assess risk

Authorizations Service
Oracle Role Manager
Oracle Entitlements Server

Oracle entitlements sit in the same namespace as the application, its not centralized, its localized so it doesnt go over the network (this sounds DAMN SEXY...i want details!!)

Identity, Profile Service
Oracle Identity Manager – manages identity lifecycle
Oracle Virtual Directory – replaces main directory in real time

the benefit of SOA Approach is that we can replace it as we see fit

lots of the standards for all of this are in flux and oracle is leading development of them

XACML is an XML representative of policy on disk

User centric identity keynote

CEO Province of BC (British Columbia)
Frank Villavicencio Citigroup Global
Bandit Higgins Project Novell
Kim Cameron Microsoft Identity Architect

BC Citizen Centric identity
something we could use for transparency with Obama Open Government initiative
Privacy is a concern here....people will give everything to Amazon, but NOT to a government entity

Talk is about Joe the user Citizen Consumer

Live ID now supports OpenID

there's a new version of Cardspace? Kim Cameron's point is that the industry as a whole needs to do this NOT just Microsoft or Novell, etc

Open Source Identity System

within 2 years all major vendors will support this

enterprise identity will weaken as it moves on the to Internet

OpenID, what else
its OK for low level transactions where there's very little value to hacking it

Microsoft and Google offering OpenID but NOT accepting it

the idea is claims based security...OpenID is a threat to that in thats its not too secure
if it gets more secure its fine

standards based authorizations? Yes....eventually...authentication and authorizations have to be separate