Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

• In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
• Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Tags: Identity Analytics, Identity Governance, OpenSSO, Oracle Access Manager, Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Directory Server, Sun Identity Management, Sun Identity Manager, Sun Role Manager

I’ll be taking part in two of their panel discussions, one on the topic of Separation of Duties (SoD), and the other on the topic of Attestation (or re-certification). Both are on Wednesday, December 9th:

• How to Efficiently Implement SoD Controls: Which Level Works?
  • 11am EST| 8am PST | 5pm CET
• How to Start: Recertification or Active Access Controls First?
  • 12pm EST | 9am PST | 6pm CET

Both panels will be focused on determining the right approach to rolling out these solutions, and where they should fit into your overall IdM program. This sometimes become a vendor driven conversation, so the opportunity for fireworks is always there.

Check out the conference if you have time. It’s virtual, so you can do it from the comfort of your home/office (which is always good in the winter). And it’s free (you can’t beat that)! Should be an interesting discussion.

Tags: Access Governance, Attestation, Conference, Identity Governance, Risk Management, Separation of Duties, SoD

Day 2: Lets get back to basics

The first half of Thursday was focused on enterprises looking for ways to achieve efficiencies and ROI through their IdM deployments, an outcome that had lost its relevance in the rush to achieve compliance objectives. But the current economic climate, and the slew of M&As (mainly As) and layoffs has brought this to the forefront once again, and sustained market interest in IAM when other initiatives are being pared back.

The day was a very good one for hearing about how customers were leveraging their IdM deployments in creative ways.

• I heard some interesting use cases of how Virtual Directory was being used to achieve efficiencies.
  • Companies are using Virtual Directory to expose the same identity data in different forms for different use cases.
  • The presenter from Sony talked about using Virtual Directory on top of geographically local LDAP servers to provide global access to data while satisfying their data compliance needs.
• There were a couple of sessions on managing UNIX infrastructure via AD (which is when I ducked into the cloud computing track).
• Wendy Booker of SunTrust Banks described how they used the cost savings (which they had to demonstrate and prove) from their IdM deployment to self-fund their project, which was a story I am sure more than a few attendees were interested in.

What I found really great was that a lot of the sessions were presented by organizations that had moved on to the 2nd or 3rd phases of their identity management program rollouts. This is quite different from all the previous conferences (Catalyst and others) I have been to, and speaks to the maturity of the market and some of these deployments.

The second half of the day was focused on identity transparency and governance. One of the most important points of the conference was made by Chris Howarth in his excellent kickoff talk, when he said that identity management must facilitate both hierarchical organizations that are necessary to implement enterprise controls, and social networks that are necessary for collaboration to take place. A lot of the discussion in the following talks were focused on the need to increase transparency with respect to how identity data is used, managed and secured to allow for accurate risk assessment and compliance to take place (echoing what was discussed in the cloud computing SIG). And increased transparency only works when complexity is reduced (preventing opacity from just being replaced by obscurity), an architectural requirement that aligns nicely with the identity services vision discussed on day 2.

Day 2 ended with the second night of hospitality suites, including Oracle. We got such a crowd in the Oracle suite that I barely managed to leave it for a few minutes to meet up with some old friends and colleagues in the other suites. And I made some good friends that day (and into the night – not a topic for this blog). I will say that celebrating Ian Glazer’s birthday at a speakeasy called Prohibition was very cool, even if they didn’t ask me for the password.

Day 3: Identity and Privacy are Blood Brothers

Day 3, while just a half day, still packed a solid punch with lots of intellectually stimulating discussion on the topic of privacy. Ian Glazer made a good point at the start of the conference when he said that the identity community is uniquely qualified to deal with the emerging privacy issues. And the sessions on Friday laid out exactly why. The key point made was that Security (making it difficult to get to something you shouldn’t have access to) should not be confused with Privacy (making it easy to get to something you should have access to). They are related, but not the same thing.

Robin Wilton gave an inspiring talk in which he laid out a framework for having productive privacy discussions with the multiple stake-holders involved. He arrived at this framework by analyzing the results of a series of round table discussions held around the globe as part of the Liberty Alliance Privacy Summit to get contextual understanding of privacy. Robin laid out a “Ladder” framework (Philosophy | Strategy | Implementation | Technology) that helps the parties involved focus on the use cases and issues to resolve. I hope he makes his presentation publicly available in some format in the future, because really is a great piece of work.

Bob Mocny, Director of the US-VISIT program, talked about some of the identity and privacy issues involved in running the single largest biometric authentication program in the world. One of the key takeaways from his and the follow-up sessions was the need for organizations to implement privacy audits as separate programs from their IT-Security audits.

Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ, gave an interesting talk about the lessons learned during Georgetown’s efforts to  handle a privacy breach. What I found fascinating was how they went about trying to create and enforce a policy on the use, collection and retention of SSNs. Their findings on how far the data was “leaking”, how hard it was to track down all the possible data flows, and how users went to great lengths to hide their mistakes were a lesson that every enterprise should be aware of. It also highlighted the challenges the extended enterprise, working with business and IT partners and services providers, faces in locking down privacy issues.

The day ended with Google talking about how they protect the privacy of their users. It may have only been a half-day, but the quality of content made it a fitting way to end a thought provoking conference. Look forward to what the next one has to bring.

Tags: Breach Remediation, Burton Catalyst Conference, Catalyst09, Identity Governance, Ladder Framework for Privacy, Privacy, Privacy Audits, Virtual Directory