Clearly, identity and access management is crucial. For on premises enterprise applications, with mobile apps and no less with cloud based applications. Identity and Access Management revolves around a number of aspects:
· management of users and accounts, passwords and access methods as well as management of roles, application privileges, groups, security policies and the allocation of those; this can be done in a fairly straightforward administrative system that could be run as a SaaS service; multiple identity stores can be involved and federation of accounts or identity details – creation, update, removal – may be required to be federated across those stores; note that governance of accounts – timely removal of accounts for employees that have left, prevention of lingering privileges for staff that moved to new departments or positions – is crucial
· analysis of the roles and privileges allocated to verify separation of duties is implemented correctly and there are no
· enforcement of access privileges and protection of resources through authentication and authorization, supported by single sign on and identity federation
· registration of all activities of interest – system access, sensitive data retrieval in audit trails
Special flavors of these activities apply to programmatic access to for example APIs and for mobile devices that may have data and applications stored on them locally.
Oracle has its flagship product for Identity and Access Management: Oracle IDM 11g of which Release 2 Patch Set 3 is the latest version, that was published in the Spring of 2015. No new release was announced for this on premises offering at Oracle OpenWorld 2015. A new business user friendly interface is one of the most striking new features in this version, used among other things for self service account provisioning.
An example of a new user interface introduced in OAM 11gPS3:
Other new features include enhanced password policy management – including challenge questions for password reset, rule based workflow policies around account and role provisioning, a standards based REST interface on top of OIM (though still somewhat limited in scope), directory virtualization in Oracle Unified Directory, lightweight Mobile Device Management to provide a complete mobile security solution. Note that the current IAM suite is better supported by Enterprise Manager for install and life cycle management. Included in EM 12c is ORACHECK, a facility that helps verify your environment is set up correctly (according to Oracle’s best practices). Some functionality from Oracle Adaptive Access Manager is gradually added to OAM as well, for example Adaptive Authentication.
The attention during the conference in this area went to a new cloud offering that Oracle pre-announced: the Oracle Identity Cloud Service (shortly to be launched).
This Oracle Identity Cloud Service (IDCS) is positioned as THE identity solution for the Oracle Public Cloud, aka the identity fabric. Its objective: “Secure Access to Any Application from Any Device By Anyone”. It provides Identity and Access Management, Authentication and Authorization as well as Auditing and Federation. Well, it will – once it is available. It has the potential not only to manage access to any Oracle Public Cloud service and any custom applications and services running on the Public Cloud but do the same thing for on premises systems.
Use cases for this service are requirements for Single Sign On across a set of SaaS/PaaS services on the Oracle Public Cloud. Also organizations who want to synchronize their corporate LDAP – for example Active Directory or OUD – with the Oracle Public Cloud and/or who want to extend the SSO feature in their corporate environment into the cloud using federation or have a need to federate users across all their applications – both in Oracle Public Cloud and on premises and perhaps third party clouds.
This next figure illustrates the many types of systems and access that need to be handled:
IDCS offers identity governance, directory services and access management. It provides enterprise mobile security and SSO across cloud and on-premises. IDCS is aware of and can work with Social Identities, such as Facebook or Google accounts. It has support for risk/context-aware step up authentication and authorization. It can leverage the mobile device as a factor in multi-factor authentication (check biometric attribute, engage in security token exchange via SMS).
IDCS supports secure access to 3rd party cloud applications, as well as easy integration from on-premises applications for hybrid operations.
It is built from the ground up to leverage cloud principles; it has a stateless, microservices as well as a multitenant architecture. It provides APIs for programmatic access in addition to slick user interfaces. The IDCS provides a single security layer across web, mobile, APIs – a single point of truth for all security related meta-data. IDCS can federate identities and synchronizes directories from the cloud and on premises.
The functional architecture of IDCS as presented at the conference looks like this:
Three standard protocols will be supported: OpenID Connect (Spring 2016), SAML 2.0 and OAuth 2.0 (and API tokens) from the beginning.
System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. IDCS will offer a SCIM bus between enterprise and cloud for exchanging identity details. The cloud-based identities can also be used for authentication with on premise applications, using the IDCS Cloud Cache – a read-only LDAP on premises that is based on the data in IDCS that is synchronized using SCIM.
Cloud Cache
The new version of Oracle IAM Suite is enabled with an agent called Cloud Cache. This enables you to synch the identities between your on premise LDAP / AD and your cloud systems. This Cloud Cache is a key component for hybrid cloud IAM solutions. This enables you to manage your identities in the same way as you do now and still use cloud based systems. The Cloud Cache takes care of the interfacing between your local identity stores and cloud systems.
In a later phase when you use cloud based systems as the main source of identities you can use the Cloud Cache as a means for synchronizing your cloud based identities back to your local active directory. This way you won’t have to implement a big bang scenario for migrating your identity manager to the cloud.