Oracle launches identity governance project

Oracle on Wednesday announced a new project to tackle one of the thorniest problems facing enterprises: the proliferation of sensitive identity information across enterprise networks.

The Identity Governance Framework is an initiative to develop specifications for sharing identity data across heterogeneous applications. The project has the support of identity and access management (IAM) vendors Ping Identity, Sun Microsystems and Securent, as well as CA and Novell. The framework and will eventually be turned over to a standards-setting body, according to Amit Jasuja, vice president of product development for Oracle's security and identity management products.

The Identity Governance Framework (IGF) grew out of Oracle's efforts to integrate identity and access management technology it acquired from Thor Technologies, OctetString and other companies, Jasuja said.

"We realized that a solution that just works with the Oracle stack is not what customers need," he said.

Instead, problems such as lost data on laptops and identity theft point to the need for overarching standards that govern all the sensitive data squirreled away in data repositories across an enterprise, such as human resources, customer relationship management and custom-built internal applications. Oracle estimates that between 60 and 80 percent of sensitive data reside in these kinds of repositories, rather than in better protected enterprise databases, he said.

"Finding out where all that information is turns out to be a huge forensic exercise," Jasuja said. "You have to root through every application repository and application logic and code to figure out how the [sensitive data] is being used."

IGF addresses that problem by establishing a governance model that allows organizations to create "contracts" between applications and repositories of identity data. The model would cover how data flows within an enterprise and outside the enterprise to supply chain or business partners, he said.

IGF has the following four components:

-- CARML, the Client Attribute Requirement Markup Language, is an XML-based language used by application developers to define contracts that specify how applications can use certain kinds of data.

-- CARML API is an Application Programming Interface that application developers can use to consume identity data in a way that conforms to the policies that govern that data.

-- AAPML or Attribute Authority Policy Markup Language, defines policy rules regarding the use of identity-related information from an identity source.

-- Identity Service is a service for securely accessing identity data from multiple identity sources based on established policies. 

Open source and standards groups, including Eclipse.org and OASIS, are also working on the problem of federating identity information, but OASIS' SPML (Service Provisioning Markup Language) and Eclipse's Higgins Trust Framework are more about creating consistent user identities that work between systems, rather than managing sensitive data, he said.

"Nobody's asking whether I can propagate a social security number outside my country boundary and put it into system somewhere else," he said.

Still, Oracle believes that IGF properly belongs under the umbrella of some standards setting organization, he said.

The company plans to reach a deal to hand off its API, as well as AAPML and CARML work to such a group within the next 90 days or so. While Jasuja wouldn't say which group Oracle was considering. However, he acknowledged that a top concern is the speed with which the group can shepherd the IGF specifications through to standards.

Both OASIS and Eclipse are possible partners for IGF. Notoriously slow IEEE is not high on the list of groups that might take over Oracle's work, he said.

"Our goal is to take this into a standards organization as quickly as possible to get the (intellectual property) stuff figured out, and not sit around and waste a lot of time and energy," he said.