BT (Robert McCausland & Peter Boyle) and Oracle (the ever dapper Christian Patrascu) accepting the European Identity Award from Martin Kuppinger & Tim Cole

The Solution

BT MFR brings together a comprehensive suite of fraud reduction capabilities under a single service. Device recognition, location recognition, behavior recognition and comprehensive policy enforcement through a customizable ruleset (powered by Oracle Adaptive Access Manager) provide granular risk assessments, returned in real-time so that even digital services requiring instantaneous delivery can be risk assessed for suspected fraud.

This functionality is all strung together and orchestrated by an Oracle Service Bus and accessed via web service calls. The routing and transformation layer that OSB provides allows for the augmentation of all the transaction data presented which can subsequently be used in a much richer risk assessment. The sources of such checks could be external URU or internal to the enterprise based on intelligence they’ve built up over years.

Risk assessments from multiple services can thus be aggregated to provide a single response to the protected application, containing all the information required to determine whether any transaction should continue forward.

Thanks to this unique design the service is also able to evolve, with new services integrated into the overall risk assessment procedure as they become required or available, without impacting the single web service call that the customer needs to access this battery of anti-fraud protection.

The Benefits

BTs Managed Fraud Reduction service has brought together a unique set of capabilities that address online fraud in ways that adapt to the organizations specific needs:

• Most online retailers cannot afford to issue password generating tokens to a fickle and ever-changing user-base. so a risk assessment based on transaction parameters such as device recognition and location provides a different way to achieve greater security.
• Online retailers providing digital goods or services cannot wait until shipping to review transactions (as delivery is immediate) so a system based on real-time assessment is greatly beneficial.
• Financial service providers need to assure funds transfers and payments within increasingly short windows (due to regulations such as ‘Faster Payments’) so real-time responses are essential.
• Gaming and leisure services are reliant on age-verification, so require identity verification score aggregated with the normal risk assessment. MFR allows the integration of such additional web services and will launch with BT’s URU identity verification available as an option.
• With the BT MFR service in place, customers can demonstrate to auditors that fraud prevention strategies are in operation and as a cloud service allows them to demonstrate this at a fraction of the cost compared to a self build strategy.
• With a robust fraud solution in place, customers can demonstrate to merchant acquiring banks that liability has been reduced.
• The architecture removes the need for the customer to contract separately with multiple vendors providing identity and fraud related services.

Addressing all market sectors and territories, fully customizable and simple to use, BT Managed Fraud Reduction service is an evolving one-stop solution to the ever-changing challenge of online fraud. And Oracle is proud to be a part of the solution.

Tags: BT, EIC11, European Identity Award, European Identity Conference, Fraud Prevention, Identity Proofing, Managed Fraud Reduction, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Oracle Service Bus, Oracle_IDM, Risk Management

Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

• In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
• Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Tags: Identity Analytics, Identity Governance, OpenSSO, Oracle Access Manager, Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Directory Server, Sun Identity Management, Sun Identity Manager, Sun Role Manager

It took so long, I think of lot of people thought this day was just a mirage. And unfortunately, the delay has cost us (in the identity management team) the opportunity to work with some great folks like Eve Maler and Pat Patterson. But now it is done, and the real work can begin as we start to lay out exactly how the IAM suites of the two companies – arguably the best in the business – will come together. It isn’t going to be easy, and our emphasis on our customers means that it can’t be quick, but the result should be great. In the Oracle+Sun strategy update this morning, Thomas Kurian gave the following overview on the Identity Management product strategy:

• Oracle Identity Management Suite continues as the strategic family of products, but Oracle will continue to invest in and share technology between Sun and Oracle products
• Both Oracle Internet Directory (OID) and Sun Directory Server will be supported, with common LDAP administration through our DS Management tools. Oracle will continue to maintain OpenDS
• Sun Role Manager will become Oracle Identity Analytics, the strategic identity analytics tool
• Oracle Identity Manager, Oracle Access Manager, Oracle Virtual Directory, Oracle Entitlements Server and Oracle Identity Federation continue as Oracle’s strategic products for their respective areas, with technology incorporated from Sun
• Oracle will invest in Sun Identity Manager and integrate it with Oracle Identity Manager
• Oracle will also invest in Sun OpenSSO and integrate it with OAM

Of course, the devil is in the details, and I expect that the coming weeks and months are going to be a little crazy as those details are laid bare. Planning has been going on for a while, and now those plans can finally be communicated and the ramifications thrashed out. That should provide a fair amount of fodder for discussion in the blogosphere and twittersphere (so stay tuned). I’ll try to provide some information here as and when it can be made public.

And a warm welcome to all my new colleagues from Sun. Buckle in for what should be a very interesting ride. I’ll be at Oracle HQ in a couple of weeks to participate in some of the planning and discussions that will be happening. So if you will be around, then lets meet up.

Tags: Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Identity Management, Sun Role Manager

Unfortunate coincidences on the title aside, the overall response to my session was quite positive, especially from folks whose opinions I really respect like Bob Blakley and Lori Rowland from the Burton Group. There was general agreement that widespread adoption of Cloud Computing is going to be a major disruption on the existing evolutionary path that Identity Management has been following. And adoption of the Identity Services model is a major component to readying IdM for the Cloud.

Check out the screencast (slides with audio of the session) of my session below. Registered attendees of OpenWorld can download the presentation itself and the MP3 audio recording of the session from OpenWorld On-Demand (just login with the Username and Password you created during your OOW registration).

The audio includes the questions that were asked of me, and turns out that the questions didn’t record well and I forgot to repeat them. Hopefully my answers are cogent enough that you get an idea of what questions were asked. I did want to follow up here on this blog post a few of those answers:

• A question came up regarding the licensing terms for Oracle IdM products when they are being used in a cloud environment (specifically, by organizations that are going to be Cloud Providers of Identity Services). The biggest challenge for such organizations is that they cannot accurately estimate the number of users, or other such variables licensing is typically based on, beforehand, which creates uncertainty for them as to the cost they will have to bear. After the session, I confirmed with our PM team that there is special licensing available for ISVs. Talk to your Oracle sales rep about this if interested.
• Another question came up regarding the impact of all this on standards like SPML. I believe my answer covered my opinion on the greater emphasis the cloud identity model will put on the evolution of these standards, especially SPML, which has been languishing. Follow up conversations with some of the original architects of the SPML standard and others involved in standards efforts brought up that the communities responsible for these standards are looking at this very hard and are gearing up efforts to address this. So stay tuned for more on that.
• A question was asked regarding Just-In-Time Deprovisioning of access to cloud-based assets. This is something I discussed quite a bit in a blog conversation with folks like Ian Glazer and Pam Dingle a while back. So check out that post and the related thread.

Tags: Cloud Computing, Cloud Identity Model, Identity Services, OOW09, Oracle OpenWorld, Oracle_IDM

Marines can’t use Twitter or Facebook on duty, but soldiers and sailors can. For airmen, it depends on the base.
As for YouTube, the Air Force has created its own channel – which can’t be accessed from work computers.

A lot of people in favor of social media use (including yours truly) view it as an important communication and PR tool, providing some much needed openness and transparency in a time of record low recruitment and mistrust. It is also viewed as a weapon for the military to take back the narrative regarding the wars in Iraq and Afghanistan from the hype-driven media. The rate at which information can be gleaned from these media makes them effective early-warning systems on all manner of critical events – from earthquakes to civil war and revolutions. And don’t forget how incredibly useful it is as a tool for our troops to stay in contact with friends and loved ones. For a much better, insider take on how critical the use of social media is to our national security, read this extremely well-written article in the Federal Times.

I shared the story on twitter, along with my opinion that the ban was the wrong approach for the military to be taking. Brad Tumy challenged me to explain why I thought it was the wrong approach, and what I think they should be doing instead. I promised I would address his question in a blog post soon, so here goes.

Lets take a look at some of the main reasons given for banning social media.

1) Bandwidth Issues

The amount of bandwidth sucked up by YouTube, Facebook and the like puts a strain on limited DoD resources. But today, network tools that monitor bandwidth usage and throttle the traffic based on conditions are quite common. And using geolocation and device identification to cut off access on machines being used in the field (that use extremely limited satellite-based bandwidth) is technically possible (and as someone I met at Catalyst told me in a different context, is being done every day).

2) Spread of Malware

Highly publicized incidents like the Koobface worm spreading via Facebook have led some of the security experts to consider these sites to be tremendously dangerous to the integrity of the DoD networks. But the malware threat from social media is nothing compared to the attacks the DoD has to fend off on a daily basis via sanctioned channels, namely email and so called “good” websites. And the tools to protect against the malware attacks are well understood and widely deployed. Most folks learn pretty quickly to identify and ignore malware messages, no matter what the medium. And cloud-based social media sites will do a much better job of cutting an attack off at the knees than thousands of distributed email systems ever will.

3) Information Leakage

In providing their reason for banning social media, the Marine Corps said

the very nature of social networking sites creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage.

This is probably the most serious cause for concern, and one where IAM and Security technologies can play a crucial role. In many cases, the challenge here is similar to the one faced when dealing with any communication channel, whether it be email or ftp. Many enterprises rely on Security Information Management to protect their most sensitive resources – their data. A well established Identity Management infrastructure provides the first layer of protection by ensuring that only authorized individuals have access to sensitive information, and then providing a complete audit trail around the access of that data. This has been shown to have a deterrent effect in information protection, and can assist in tracing back the source of a data leak. DLP (Data Leakage Protection) tools provide data security by enabling data identification, classification, usage and wrapping controls around it all. Firewalls are getting increasingly sophisticated (take a look at Palo Alto Networks, which is getting traction with a content inspection engine that can “accurately identify applications … and scan content to stop threats and prevent data leakage“). The fact that Facebook and Twitter have APIs that allow the creation of custom clients means that users can be given access in a secure way through apps developed by the military. And there is commercial software out there that does much the same.

Now, the way I see it, the armed forces are facing the exact same dilemma that most enterprises are facing when considering how to tackle the use of social media in the workplace. The only difference is in the amplification of the potential consequences. Exploitation of the attack window that social media use creates could lead an enterprise to lose a lot of money, but in the case of the armed forces it could lead to serious loss of life. That does mean that while the issues are the same, the risks are vastly different. This would necessitate a completely different risk mitigation strategy. But does that mean that the solutions that can help would change too?

A blanket ban such as the one being discussed would lead you to believe that there exists no ability to handle what are essentially security and access control issues in the system, and that simply is not the case. I’m not saying that it is perfect, but a combination of tools, policies and guidelines can make it possible for social media to be leveraged by the military in ways that serves their (and our) national cause without harming their mission. And that would be to everyone’s benefit.

If you ever saw the movie “Breach” about how Robert Hanssen leaked national secrets by photocopying files and carrying them out in his bag, just think of how much more quickly he might have been caught if he had been sending those files over a social media connection. USB drives and email are far bigger threats (right now) than social media. and by being proactive, the military can turn these tools to their advantage. On the other hand, by not playing in one of the emerging technologies in the market, the US military risks becoming outdated, outmoded and outplayed by our adversaries.

Tags: Data Leakage Protection, DLP, Facebook, Firewall, Identity Management, Military, Oracle_IDM, Social Media, Social Networking, Twitter

The SIG Meetings

For me, the conference was divided into two parts. Monday and Tuesday I attended a few SIG meetings on topics that were varied yet highly interconnected. Monday was a meeting of the Concordia Workshop, which is now a discussion group under the new Kantara Initiative. The focus of the meeting was Use Cases driving Identity in Enterprise 2.0: The Consumerization of IT. The ever intrepid Eve Maler has posted materials from the day to the Concordia site, so you can check them out yourself. While the individual discussions covered all manner of areas, the connecting thread throughout was Authorization. There was a morning discussion where a panel talked about the progress made in the authorization space, from the XACML API contributed to the TC by Oracle and Cisco, to the emergence of AuthZ as the critical service in the identity services reference architecture being developed in the Burton Group ISWG (which I have been participating in and writing about). Mike Gotta and Alice Wang gave an excellent talk on the emerging concerns regarding social tools in the enterprise, and a lot of those concerns again boil down to authorization issues, in this case regarding data and information. Eve talked about her work on the ProtectServe protocol that enables authorized data sharing from a user perspective. And the day finished with a talk on Levels of Assurance, a critical piece in allowing for partners to make informed authorization decisions.

Tuesday started with a meeting on Cloud Computing Security and Identity Management. As readers of my blog/twitter know, I have been saying for a while that cloud computing is going to have a major impact on the identity management business, in much the same way that compliance concerns did a few years ago. It is probably a sign of the immaturity of the market that the discussion was focused on describing the challenges to be solved rather than any solutions.

The meeting included a deep dive presentation by Liam Lynch, Ebay’s Chief Security Strategist, on how the auction giant tackles their internal cloud computing needs. There were a few points made during his presentation that I found interesting:

• eBay is into cloud computing as a provider, not a consumer, since they allow 3rd party developers to create their own auction sites on eBay infrastructure using a development kit called eBox
• As such, eBay feels that security considerations have to be made inherent in cloud architecture as they cannot rely on these 3rd party developers to not make mistakes
• eBay uses contextual behavior and reputation, including biometric analysis, as the underpinnings of its identity management strategy. Reputation and behavior analysis generate (over time) dynamic identity claims that then get used in access control decisions
• eBay found RBAC to be a bad match for their performance requirements, and shifted to a claims-based model for authorization. In this model, claims are attached to the data object being accessed itself (sort of a next-generation ACL). The access then compares the claims the actor has at runtime with these to make an authorization decision.
• Liam made the point that managing access through roles was a bad model for them, which is why they went claims-based. I understand the performance concerns that arise when evaluating RBAC at runtime, but for managing the grants of access, nothing beats a role-based model. So I was a little surprised by his statement. When I dug deeper, it turned out that they simply replaced RBAC with Organization-based AC, and not because of performance reasons but because of compliance reasons since the org change has approval attached while the role change did not. So it wasn’t really an issue with RBAC, just the implementation they had in-house.
• Liam pointed out that a move to the cloud can be an opportunity to fix broken internal processes, since the cloud will amplify any issues you may have

The meeting also had Nils Puhlmann, co-founder of the Cloud Security Alliance, speaking to the participants on the need to come up with a practical security checklist that all Cloud Service Providers could be measured against, so that enterprise customers can make accurate assessments of the risk with using a particular CSP. He called for greater vendor involvement and focus on the cloud, since the cost dynamics of the cloud make adoption inevitable. And that CSPs need to be more transparent about their security controls and policies.

Later that afternoon I attended the next meeting of the Identity Services Working Group that I’ve been participating in. There were a lot of new folks in the audience, so it was a good opportunity to recruit new blood into the effort. As Kevin Kampman presented the work that had been done previously on the Authentication service and laid out the effort lying ahead on the Authorization service, we got into highly spirited, and productive, discussions on the nature of the services architecture. One of the points made repeatedly (and which was echoed later in the week during the sessions) was the terminology issue that plagues the identity community, in this case around words like Policy (vs. policy). There was a strong sentiment from the group that policy management needs to be made part of the overall framework for it to work properly. And there was also a strong push from the group to try and condense the best of the prior efforts at defining AuthZ services into our vision.

While on the surface all of these SIGs were on different topics, I found them to be highly intertwined. Identity concerns in cloud computing are tied in directly to the need for an identity services architecture that allows cloud services to leverage enterprise identity (and therefore security) apparatus, thus reducing risk for the enterprise and providing compliance with both internal and regulatory controls. And Enteprise 2.0 is mostly about the intrusion of  cloud-based services like social media into the enterprise environment (or the extrusion of the enterprise into commercialized IT services, depending on how you want to look at it), where concerns about consistency of identity and controls are foremost in the minds of CIOs and CISOs everywhere. So while the discussion is still somewhat fragmented (as it probably should be at this time), I look forward to all of this coming together nicely in the future (maybe even at a future Catalyst conference).

I think I need to do a better job breaking these posts into smaller, more readable chunks. My next post(s) will focus on the sessions themselves.

Tags: Authorization, Burton Catalyst Conference, Catalyst09, Cloud Computing, eBay, Identity Services, Kantara Initiative, Oracle_IDM, Project Concordia

In a nutshell, here is what happened as I understand it: A hacker named Hacker Croll (who has been a pain in Twitter’s behind for a while now) was able to gain access to the Gmail accounts of various twitter employees, including founder Evan Williams. He was then able to use the regular password-recovery techniques that rely on email-based mechanisms to gain access to other services being used like Paypal, GoDaddy, Amazon and Apple. But most notably, he had access to the Google Docs service that the Twitter folks were using extensively to store sensitive corporate documents. This landed Hacker Croll a goldmine (that has been shared with TechCrunch) of documents, including “financial projections, product plans and notes from executive strategy meetings”. Twitter has a lot to deal with here. But this is an important IdM and Cloud Computing related cautionary tale for all of us. And the takeaways, while obvious, bear repeating.

This episode underscores the fact that password recovery techniques that rely on email delivery of passwords or password-reset links are highly insecure. Secret question based mechanisms (aka Static Knowledge-Based Authentication) are not that much more reliable either (anyone and everyone can find out the name of any celebrity’s first car, dog, mother’s maiden name, etc). Services that deal with sensitive information NEED to rely on Dynamic Knowledge-Based Authentication (where the data source for the authentication questions could be the content stored in the service itself, which only the users should have knowledge of) or Out-Of-Band Identity Proofing (something Oracle Adaptive Access Manager can help with).

As more and more companies rely on the cloud, the security of cloud services (or lack thereof) needs to be evaluated very carefully, as will corporate security policies on access to those services. Strong passwords need to exist not only on the service access, but also on the accounts that have access to the service. Ideally, the service provider should support Multi-Factor Authentication and federated identity and authentication for higher identity assurance by corporate clients. And encryption of sensitive documents and data is a must. Cloud service providers need to understand the implications of entering the enterprise market, and that includes deploying enterprise-grade identity management and security technology.

Unfortunately this event will sow doubts in the minds of those that are considering using cloud-based services. Which is why we have to work hard to define the standards cloud services need to live up to. As Michael Arrington so bluntly put it:

It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions.

That is quite plainly an unacceptable state of affairs.

Tags: Cloud Computing, OAAM, Oracle_IDM, Password Management, Password Recovery Techniques

What Is Cloud Computing?

You’d think this would be easy, given how much everyone is talking about it. But a search on google will show you that there is actually a lot of debate on what the term stands for. Cloud Computing is a fairly elastic term that has been shape-shifting over time to encompass more and more disciplines in the area of IT operations. For a detailed explanation, I would suggest checking out this (free) research paper by the Burton Group. For the purpose of my discussion, I am going with the basic view that Cloud Computing encompasses all those *aaS concepts we have been hearing about for years now that allow every single layer in the architecture of an application (including hardware) to be utilized as a service over the internet:

• SaaS (Software as a Service): through which application services are offered (examples abound like Gmail, Salesforce.com, Zoho)
• PaaS (Platform as a Service): through which application platform/middleware services are offered (like the Google App Engine)
• IaaS (Infrastructure as a Service): through which underlying computing resources like processing,storage and networking are offered (think Amazon’s EC2)

Gartner has said that there are 5 basic attributes of a cloud computing model:

• It is service-based
• It is scalable and elastic
• It shares a pool of resources
• It is metered by use (aka pay-as-you-go)
• It uses internet technologies

Different Types of Clouds

There has also been some controversy around the concept of private clouds, with different folks defining it differently, or even positing that there is no such thing. I think Private Clouds are real and different from traditional data centers, and essentially refer to cloud computing environments dedicated to a single tenant (thereby not adhering to the sharing attribute). The waters get muddied even further when you bring up the concept of Hybrid Clouds. We’ll see how this is relevant later.

What Does This All Mean For Identity?

When we start to think about applications being delivered over the cloud, or enterprises relying on a cloud computing model instead of a data center model, we start to see certain implications for the identity architecture within.

• What is the identity model for these services? Can it co-exist with the enterprises existing identity model?
• Fundamentally, how will the users of these cloud services authenticate? And how will their access rights be managed and enforced?
• Will the cloud services have access to the enterprise identity stores (that are likely not in the cloud)? Is there a integration approach? Is there a replication strategy?
• What security controls exist around the identity data gathered, stored or used by these cloud services? Will they be in compliance with applicable regulations (like jurisdictional regulations on geographic location of data, PCI DSS) and an enterprises internal controls?
• Who (from the service provider side) will have access to the data? How will that be managed?
• How will the enterprises data be effectively segregated in a shared environment?
• What audit controls exist to allow investigation and discovery?

Generally speaking, the reason companies are considering cloud computing is to avoid the expense involved in building or acquiring the infrastructure, and to some extent managing it. However, without paying attention to the security and governance implications, those cost savings will actually evaporate when they either try to retrofit their existing business policies and controls into the cloud environment, or when they have to deal with the fallout from a breach or issue. I think we’ve all seen this particular movie before, so the question is whether we are paying attention to the lessons learnt. Lets talk about this, and examine how externalizing identity is crucial to making cloud computing viable.

Tags: Cloud Computing, Compliance, IaaS, Identity Services, Oracle_IDM, PaaS, SaaS

As an abstract identity construct, entitlements model whatever it is in an actual system that allows a user to do some well defined thing. As such, it is a fine-grained access management construct, so Ian isn’t wrong about that. But I think Ian’s post misses the power of the entitlement construct, which is what entitlement management products aim to surface.

An entitlement could simply be the permission to access a URL (typical web access management scenario). It could be the permission to click on a menu item in an application (typical application functional security scenario). It could be the permission to access a particular data record in the database (typical data security scenario). Each of these taken individually is a pretty big deal in of itself, but can be handled by products or features that are already available today.

But in a service-oriented world, where multiple applications get chained together to perform the functions behind a single action a user can perform, the entitlement becomes a hugely important construct. Currently, this would require ensuring that the permissions within every single component are properly coordinated to allow this flow to go off without a hitch. It becomes a very complicated permission engineering problem to figure out how the ensure that the function will work in all cases necessary.

Entitlements provides an abstraction and layer of indirection that eases the problem, unifying the access control equation. In an entitlement management based architecture each service, every tier within the service, every layer within the application, can refer back to the same entitlement and entitlement policy to determine whether or not to allow the function to proceed.

And to provide this kind of cross-service access control, an Entitlement Management product like Oracle Entitlements Server provides the ability to define powerful entitlement policies based on identity, role and contextual data. And while XACML is a necessary part of the architecture that enables a complex deployment to occur, it is just an enabling tool, not what defines the feature itself. In fact, XACML does bring its own limitations to a run-time environment.

Entitlement Management is a powerful tool that can simplify the mess of permissions and privileges that are strewn all over the enterprise landscape. When applications were silos, it was sufficient to deploy a provisioning system that could handle the provisioning of access into these black boxes. But with applications transforming into services and becoming increasingly interconnected and interdependent, role and entitlement management become critical pieces of enterprise architecture that help provide critical control, predictability and uniformity to the enterprise.

Tags: Entitlement Management, Identity Services, Oracle_IDM, Service-Oriented Security