ID Governance on Oracle’s Standard Plate

Oracle  said it is pushing a new security framework to help companies better protect sensitive employee, customer and partner information exchanged through applications.

Ping Identity, Securent, CA , Novell  and Sun Microsystems  are joining Identity Governance Framework (IGF), an effort Oracle is spearheading to fill a void in security standards.

IGF addresses what happens once data gets into corporate applications, making it a complementary spec to basic identity management standards, such as Liberty’s Identity and Web Services Federation (ID-WSF) and OASIS’s Security Assurance Markup Language (SAML) .

Oracle hopes to take IGF to a standards body such as W3C, OASIS or the Liberty Alliance, for further development at a time when Web security is a huge area of concern for corporations concerned about meeting federal regulations requiring stringent privacy policies.

IGF is crucial for meeting compliance rules and elementary security requirements, according to Amit Jasuja, vice president of development for security and identity management at Oracle.

To date, specifications from the Liberty Alliance, Higgins Project and Microsoft enable businesses to gather personal data from customers and bring it safely into the enterprise system for use among partners, suppliers and customers.

But Jasuja said those efforts do not address the problem of what happens to user data when it gets inside corporate applications.

Nobody is tracking which application the personal data, which can include PINs, Social Security numbers or even credit card and bank account information, ends up in and whether that data is being used appropriately and by authorized personnel.

“Everyone of these applications has information about employees, customers and users that is basically being handled by developers and DBAs — people who aren’t necessarily security experts,” Jasuja told

“Because of the wide range and number of these systems, it is impossible for information security officers to get a handle on who’s doing the right thing and who’s not.”

For example, a patient’s medical history should only exist as a contract between the patient and the primary care physician, not to a nurse practitioner or insurance broker.

Today’s ID management specs fail to offer that wall between users; IGF aims to remedy that gap, Jasuja said.

This is a major issue, Jasuja said, because only 20 percent of identity-related data resides safely in a corporate directory; the remaining 80 percent resides in applications for finance, human resources or customer relationship management.

This potential security hole must also be filled because of the preponderance of federal regulations that require corporations to keep sensitive data locked up.

Inconsistencies can mount in applications, which can put information at risk and unnecessarily trigger privacy violations; such indiscretions can become a security officer’s worst nightmare in the face of an audit.

IGF offers a standard way for corporations to define policies to securely share sensitive personal information between applications and identity sources.

Through a system of “contracts” between applications and identity data sources, Jasuja said IGF will help companies control how ID-related data is used, stored and propagated across several systems in a partner network.

IGF has four key components, including two new markup languages.

Client Attribute Requirement Markup Language (CARML) is an XML-based contract defined by application programmers that informs deployment managers and service providers about the attribute usage requirements of an application.

Attribute Authority Policy Markup Language (AAPML) is a set of policy rules regarding the use of ID-related information from an identity source that allow these sources to place constraints on the use of ID data by applications.

The CARML API  will let developers write applications that consume and use ID data based on policies set by the AAPML.

Finally, the identity service is a service for accessing ID data from multiple identity sources.

Now that Oracle has taken the standard public, the next logical move is to submit it to a standards body for further development at a more public level.

Rolling IGF into a standards body should also make the specs more appealing to Oracle rivals that may be hesitant to join the effort because the software giant is its chief architect, Jasuja said.

For example, Jasuja said that some of the vendors Oracle invited to join IGF are taking a wait and see approach, including Microsoft , IBM  and BEA Systems , are reticent to come aboard because Oracle is fueling the framework.

He also said Oracle is looking at the W3C, OASIS and Liberty Alliance among others as potential homes for IGF.

In the meantime, Jasuja said Oracle is also inviting additional vendors and customers to review and contribute to the key draft specifications.

“The whole governance model is seamless and is something that can be developed across the board,” Jasuja said. “We hope that once we make the initiative within a standards organization, more people will join it and collaborate on this.”

Sun’s vote is for IGF to be tucked into Liberty, where it is a prominent member.

“Sun supports its submission to a standards body and thinks the Liberty Alliance may be best, as it is a natural and essential evolution of the work already done within that organization,” said Don Bowen, director of identity integration for Sun.

Oracle has come on strong as a security software provider in the last two years, acquiring Oblix, Thor Technologies and OctetString for Web single sign-on, provisioning and virtual directory software, respectively.

News Around the Web