An Oracle White Paper July 2012. The Oracle Identity Management Platform: Identity Services at Internet Scale

An Oracle White Paper July 2012 The Oracle Identity Management Platfrm: Identity Services at Internet Scale

Intrductin... 2 Identity and Access Management: Cming f Age... 3 Frm IAM Suite t Cntrls Infrastructure... 4 The Pint Slutin Apprach Cntributes t Cmplexity and Risk. 4 The Platfrm Apprach t Cntrls Management... 5 A Blue Print f the Identity Platfrm... 7 Ecnmies f Scale fr the Platfrm Apprach... 8 Anatmy f a Platfrm: Inside the Oracle Identity Platfrm... 10 The Secret Sauce: Oracle s Middleware fr the Cntrls Platfrm 12 Fulfilling Critical Use Cases with the Oracle IdM Platfrm... 12 Mdular and Best-f-Breed... 14 Supprt fr Open Standards... 14 Cnnecting t Third-Parties and t the Clud... 15 Maturity and Scale... 15 Platfrm fr Develpers... 16 Oracle s Cmmitment t IdM... 16 Platfrm Apprach with a Pay-as-Yu-Grw Pricing Mdel... 16 What s Next fr the Oracle Identity Platfrm?... 17 Simplificatin and Usability... 17 Securing Applicatins n Mbile Devices... 17 Clud... 17 Cnclusin... 18 The Oracle Identity Platfrm

Intrductin Identity systems are indispensible t the security, gvernance, and usability f nline resurces. Whether fr authenticatin, persnalizing user experience, r access certificatin, identity is at the cre f making prcesses functin prperly. But fr many rganizatins, the need t supprt brad user ppulatins acrss a wide range f devices is driving up the cmplexity f identity management (IdM) systems. And deplying pint prducts fr each new requirement nly exacerbates prblems f cmplexity. IT rganizatins have cme t realize that cllectins f pint slutins dn t equate t an identity system. In recgnitin f the rapidly expanding scpe f identity systems, Oracle ffers a platfrm apprach t IdM. The platfrm apprach prvides rganizatins with a cmprehensive set IdM functins, cmbined with middleware fr data integratin and Applicatin Prgramming Interfaces (APIs) fr applicatin integratin. Oracle s apprach enables rganizatins t insert critical cntrls int existing netwrk resurces ver a series f prjects, with each prject increasing the maturity f the cntrls infrastructure. And the platfrm is extensible t supprt grwth frm departmental t enterprise and Internet scale. Oracle s platfrm apprach t IdM has already prven t deliver bth scale and business value. Oracle s IdM prducts are deplyed at thusands f rganizatins, and are the backbne f clud, telecmmunicatins, and e-cmmerce websites. Oracle even uses this same IdM platfrm fr Oracle Clud, fr Fusin Applicatins, and fr its wn IT peratins. This paper utlines Oracle s platfrm apprach t IdM, and hw IT rganizatins can make the business case fr the platfrm. 2

Identity and Access Management: Cming f Age Over the last decade, the missin f identity and access management (IdM) systems has expanded t include a range f business bjectives. Whereas early identity systems served primarily t simplify accunt management, tday rganizatins are building IdM technlgies int their cntrls infrastructure. Additinally, as applicatins utgrw traditinal netwrk bundaries thrugh clud and mbile channels, rganizatins are using IdM technlgies t create a secure, integrated user experience. And the cnstant specter f hacking, insider threats, and cnsumer fraud als necessitates identificatin-based access cntrls thrughut the enterprise. In shrt, the demands n IdM infrastructure are nly increasing in diversity, scale, and imprtance. Figure 1 lists sme f the cmmn uses f IdM technlgies. Figure 1: Identity Use Cases The use cases in Figure 1 are all served by technlgies in the IdM market. But as the uses f identity technlgies grw, the mre difficult it becmes t achieve all f these bjectives with a single slutin. Large rganizatins in particular struggle t instill IdM technlgy acrss a digital urban sprawl f applicatins, databases, and platfrms amng lines f business, partner netwrks, and clud applicatins. The magnitude f identity systems als cntinues t grw: whereas the IdM market frmed in departmental, single-purpse deplyments, IdM systems are nw at the backbne f e-gvernment services, cmmercial websites, telecmmunicatins netwrks, scial netwrking, and healthcare exchanges. Bth by their size and significance, IdM technlgies are critical t the nline wrld. 3

Frm IAM Suite t Cntrls Infrastructure In reactin t this heightened demand fr IdM infrastructure, the market cntinues t deliver an impressive array f prducts. And rganizatins urgency in reslving cmplex security prblems has cultivated a market fr special-purpse tls. Fr every new regulatin, security explit, and managerial nightmare it seems sme new standard, prduct, r cmpany emerges t slve the prblem. As shwn in Figure 2, the IdM market nw includes prducts fr accuntability, gvernance, privilege management, access cntrls, infrmatin security, cmmerce enablement, fraud reductin, federatin, and usability. Figure 2: The identity management market is expanding t cver a wide range f use cases, creating tensin fr IdM prducts The segmentatin in the IdM market brders n fragmentatin. In many cases, it s unclear where ne prduct categry starts and anther ends. Fr example, shuld a rle management prduct help rganizatins nly t create rles r shuld the prduct als discver access vilatins and remediate them? There is a prduct fr every crrespnding answer t this questin. As a result, rganizatins needing IdM technlgy are left with the perplexing task f cmpleting urgent, targeted prjects while implementing technlgy frm a vast, highly nuanced, and rapidly expanding market. The Pint Slutin Apprach Cntributes t Cmplexity and Risk Pressing prblems can require rganizatins t react quickly, ften making it difficult t pursue strategic slutins. Fr example, a critical audit finding bliges an rganizatin t remediate the deficiency immediately. Similarly, in the wake f a security breach, an rganizatin will quickly tighten specific cntrls. S as a practical matter, rganizatins ften chse t reduce scpe f an identity prject t meet near-term bjectives. Fr example, the prject team may decide that that a single signn (SSO) prject is nly fr Windws applicatins, r that a rles prject shuld fcus nly n rle mining, r that an accunt certificatin prject is nly fr SOX applicatins running n a particular platfrm. In the cntext f a narrw scpe, a pint slutin may seem simpler, quicker, and cheaper. But ver time, the reactive apprach prves ecnmically and architecturally unsustainable. In practice, pint 4

slutins cntribute t the munting difficulty f managing netwrked resurces. Adding yet anther prduct with a narrwly scped purpse with its independent data stres and requirements fr special skill sets increases IT cmplexity, leading t greater verall instability f the system. This is particularly A Patchwrk true f prducts f in an Slutins rganizatin s security and cntrls framewrk. A patchwrk f security Fragmentatin slutins is n slutin Reduces at all. Effectiveness Audit expsure Pr reprting, Limited rt cause tracking Vulnerable t breaches Multiple pints f failure Missed business pprtunities Inability t develp and deply applicatins t users Figure 3: The patchwrk apprach t security and cntrls exacerbates the prblem Oracle recgnized this market dilemma and began develping and acquiring IdM technlgies and packaging them int prduct suites. Suites were innvative in that they enabled rganizatins t deal with a single vendr fr sales and supprt, while benefitting frm integratin acrss identity prducts. Fr example, suite vendrs merged meta-directry and prvisining technlgies int a single prduct categry. Similarly, Web Access Management (WAM) and identity federatin prducts are nw ften sld and deplyed in tandem. Such innvatins are imprtant, but ultimately dn t prvide rganizatins with what they need: a way t deply a cntrls infrastructure that can be cntinuusly expanded thrugh a series f smaller prjects. The Platfrm Apprach t Cntrls Management The bjective f a cntrls infrastructure is t establish rder in a chatic r prly regulated envirnment, but pint prducts are ill equipped t deliver that kind f strategic value. S if rganizatins require brad, strategic, and cmprehensive slutins fr securing netwrked resurces, then the questin becmes hw best t intrduce such pervasive infrastructure int an existing, heavily utilized netwrk. The prverbial frklift mdel f replacing existing systems with a ready-made slutin is rarely if at all pssible. But with careful planning and prper versight and with a platfrm-centric slutin rganizatins can intrduce a chesive IdM infrastructure ver a series f prjects. Frm a technlgy perspective, what s needed is a platfrm apprach t cntrls management. A platfrm differs frm pint slutins and suites by ffering essential services fr integratin, reuse, expansin, and scale. A platfrm apprach als separates platfrm technlgy frm custm develpment, s upgrades t either side can be accmplished smthly and independently. In ther 5

wrds, a platfrm is mre than just a cllectin f pint slutins it s a chesive and cmprehensive set f technlgies that is ecnmical t extend, even t meet urgent and unfreseen demands. The fllwing table cntrasts imprtant characteristics f a cntrls platfrm t a security pint prduct. TABLE 1: DIFFERENCES BETWEEN A POINT-PRODUCT AND PLATFORM APPROACH TO IDM CHARACTERISTIC POINT PRODUCT PLATFORM Integratin Reuse Expansin Scale Standards-based interfaces with n explicit integratin Prprietary cnnectivity and extensin methds Limited ptins and tested cnfiguratins fr OS, database, directries Data reuse nly thrugh custm integratin N reuse f management and mnitring UI prduct specific fr each cmpnent Reuse f cmpnents nly within a single prduct r prduct family Custmizatins relevant nly within the prduct; ften versinspecific Prduct-specific data mdel r scripting language Additinal use cases tax the system substantially Often unknwn r untested and nly discvered nce the upper bund is reached Cded and tested integratin with ther platfrm cmpnents and with 3 rd party pint prducts Integratin with ther platfrms and prducts thrugh standardsbased-interfaces Data tls fr integratin (such as virtual directry) Cmmn definitins, data mdels, plicy mdels and methds Same mnitring and management tls fr entire platfrm Same technlgy fr wrkflws, data strage, and integratin Externalized security and authrizatin services Same cnnectrs can be used fr prvisining, passwrd management, privileged accunt management, and mnitring Clean separatin f prduct cde frm custm cde Prtable, reusable custmizatin Custmizatins nt affected by upgrades Expansin t rthgnal use cases wn t adversely affect perfrmance Reliably scales frm initial use case with hundreds f users t dzens f use case and millins f users Table 1: Differences between identity pint prducts and an identity platfrm 6

In cntrast t Oracle s platfrm apprach, pint slutins implement prprietary data mdels, wrkflw engines, and scripting languages. On a deeper level, pint slutins dn't supprt a cmprehensive set f applicatins, platfrms, r tplgies. Fr example, integrating with business applicatins like SAP and PepleSft, as well as with legacy platfrms such as mainframes is nearly impssible fr independent vendrs t develp, test, and supprt. And enabling scale fr cntrls platfrm is critical: the prduct must be able t supprt anything frm 5,000 users t hundreds f millins f users, running as a departmental server r in active-active data center cnfiguratins with wide gegraphic dispersin. Few vendrs have the resurces and market presence as Oracle des t build prducts fr such a wide range f uses, at scale, acrss difficult tplgies. A Blue Print f the Identity Platfrm The figure belw ffers a blue print f hw the identity platfrm supprts the peple and cmputing systems fr an rganizatin with a diverse and cmplex envirnment. Figure 4: A high-level blueprint f the platfrm apprach, shwing cnnectivity t users, data, applicatins, etc. In Figure 4, a gateway prvides a multi-prtcl frnt dr t the enterprise r clud service. The gateway represents an imprtant identity-aware enfrcement pint at the edge f the netwrk. Als at r near the edge f the enterprise netwrk r clud service are access management and federatin services. These services help manage sessins fr SSO within the envirnment and in cnnecting t external, federated services. Just belw the presentatin tier is a grup f lgic cmpnents that makeup the intelligence f the identity platfrm. A risk engine wrks with edge systems and ther cmpnents t assess the cntextual risk f transactins. As risk increases, the risk engine applies plicies fr step-up authenticatin, access cntrl, and alerts. The entitlements service is an externalized decisin pint fr assessing whether actins r transactins shuld prceed. Similarly, the 7

Separatin f Duty (SD) service evaluates whether any transactins result in a vilatin f plicy, particularly fr separatin f duty. The plicy develpment tls prvide design interfaces fr administratrs and plicy managers t create rles, set plicies fr access, and plicies fr cmpliance. The identity prvisining system then ensures that plicies are put int effect and that all identities are certified fr use and that they cntain accurate infrmatin. Data integratin services enable the identity platfrm t easily cnnect t databases, directry servers, applicatins, platfrms, and ther services fr data exchange, mnitring, and plicy cntrl. And finally, all actins f the identity platfrm are lgged fr mnitring and auditing purpses. The blue print in Figure 4 illustrates why the platfrm apprach is superir t pint slutins. In particular, the platfrm apprach is mre adept than pint prducts at handling crsscutting use cases. Cnsider a simple SD use case, with the fllwing applicatin plicy: Apprver Requester A standalne rle management prduct can help create the rles Apprver and Requester ; sme standalne prducts can apply rles t the apprpriate user accunts. The prduct may even ffer SD vilatin checking t ensure the tw rles aren t assigned t the same persn. But the plicy abve desn t actually say ne persn can t pssess bth the Apprver and Requester rles; rather, it states that fr any given transactin, the Requester and the Apprver must be tw different peple. Fr cntextual authrizatin, the slutin must als include Plicy Enfrcement Pints (PEPs) and an entitlements engine smething a platfrm prvides but pint slutins can t. A platfrm als prvides a cmprehensive audit trail f hw the rles were created, assigned, applied, and used. Anther example is mapping identities when n cnsistent cmmn identifier exits acrss applicatins. A pint slutin requires a data cleansing prject befre SSO can begin. The platfrm apprach enables users t start with Enterprise Single Sign-n (ESSO), which enables users t map their wn accunts and receive immediate benefit f SSO. Because the ESSO prduct is part f the platfrm, it can share mapping infrmatin with prvisining service s that ther IdM services can be extended t these users quickly. Many such crsscutting use cases are why rganizatins nw prefer IdM platfrms t pint prducts. Ecnmies f Scale fr the Platfrm Apprach Organizatins that take n mre than three cntrls prjects will find the platfrm apprach csteffective and much easier t cmplete. In a study by Aberdeen Grup, a leading market research firm, f 160 rganizatins, thse that tk a platfrm apprach t cntrls management saved 48% in csts, achieved 46% mre respnsiveness, and had 35% fewer audit deficiencies when cmpared t rganizatins that adpted pint slutins. The platfrm apprach creates synergies that prvide greater value and autmatin when the slutins are integrated. Here are a few additinal ecnmic benefits dcumented in the Aberdeen reprt. 8

Increased end-user prductivity The rganizatins that chse a platfrm apprach prvided end user self-service 30% faster than rganizatins that did nt have an integrated self-service capability. In additin, platfrm adpters were mre agile by n-barding and changing user access 73% faster than rganizatins that tk a pint slutin apprach. Faster applicatin deplyment By having an integrated platfrm, rganizatins were able t deply new applicatins with identity management enabled 64% faster. Imprved administrative rati The study shwed that cmpanies that adpted a platfrm apprach achieved an average f 5,500 users per administratr cmpared t 2000 users per administratr with the pint slutin apprach. By taking an rganizatinal apprach with a platfrm, the rganizatins that had a lng-term radmap fr identity management achieved better ecnmies f scale. Instead f slving the challenges f a single department, they were able t set a fundatin t address the requirements acrss departments. As a result, the platfrm adpters shwed greater indicatin f standardizatin and repeatable reprting prcesses. In particular: Platfrm adpters were twice as likely t have standardized wrkflws t autmate the user lifecycle and prvide wrkflw-based exceptins. Platfrm adpters were twice as likely t have mre mature cntrls like separatin f duties and attestatin reprting in place. The platfrm apprach ffers a better financial mdel than d pint slutins. Using the findings frm the Aberdeen study and Oracle s Return n Investment (ROI) calculatin tl, custmers can estimate hw a platfrm apprach will benefit their rganizatin. Figures 5 and 6 (belw) illustrate an ROI calculatin fr a platfrm apprach cmpared t a pint slutin apprach ver a perid f five years. Figure 5: ROI example frm a platfrm apprach t identity management Figure 5 illustrates a platfrm apprach t an identity management prject. Given parameters fr hard and sft csts, including sftware licenses, the custmer will be able t achieve a breakeven pint in Year 3 and has dubled the ROI by Year 5. 9

Figure 6: ROI example frm a pint slutin apprach t identity management In cntrast, Figure 6 (the pint slutin apprach) uses the same parameters as the prject in Figure 5. The calculatr shws that because f additinal csts, cmplexity, and delays, the prject appraches the break-even pint in Year 5 and the benefits aren t fully realized. Anatmy f a Platfrm: Inside the Oracle Identity Platfrm Oracle s apprach t IdM recgnizes rganizatins need fr cmprehensive cntrls. Fr this reasn, Oracle has fcused relentlessly n creating a cmplete, pen, and integrated platfrm fr IdM. With a design center f enabling a brad set f cntrl bjectives frm a single platfrm, Oracle s IdM technlgies include classic identity management capabilities, such as directry, prvisining, and Web Access Management (WAM), in additin t platfrm services (such as virtual directry and entitlements services), data security, and Applicatin Prgramming Interfaces (APIs). These technlgies enable rganizatins t cnstruct a fundatin fr instilling cntrls in depth, in a pervasive manner acrss applicatins and data, acrss all access channels. Oracle s identity platfrm cnsists f three functinal pillars and underlying platfrm services, as shwn in the fllwing figure. Figure 7: Functinal grupings in the Oracle 11g R2 Identity Platfrm Identity Gvernance invlves setup f the envirnment in advance f access, as well as review f the envirnment t ensure plicies are enfrced as intended. The Access Management pillar includes the 10

technlgies invlved in run-time enfrcement f access that is, when users are actively using the system. Directry Services perate at the data layer t prvide identity cntext t the ther tw pillars. Oracle als prvides Platfrm Security Services that enable develpers t access any cmpnent in the pillars, externalize security decisins, and take advantage f platfrm security features. In the 11g R2 release, the Oracle identity platfrm cnsists f the fllwing technlgies: Figure 8: Oracle prducts and technlgies in the 11g R2 IdM Platfrm The functin f each f these prducts is explained belw. Identity Gvernance prducts: Oracle Identity Manager (OIM) is an identity prvisining prduct. OIM includes features fr self-service passwrd management, access request frms, delegated administratin, apprval ruting wrkflws, and entitlement management acrss any number f cnnected systems. Oracle Identity Analytics (OIA) cllects lgs frm IdM prducts and ther systems t reprt n usage, build effective IT rles, and detect accunt-related audit issues such as rphaned accunts. Oracle Privileged Accunt Manager (OPAM) secures accunts with elevated access, such as rt accunts n Unix systems and databases, by implementing a passwrd checkut system. Access Management prducts: Oracle Access Manager (OAM) is a Web Access Management (WAM) prduct that enables SSO acrss an rganizatin s web presence. Oracle Adaptive Access Manager (OAAM) enables rganizatins t apply strnger, risk-based, and multi-factr access cntrl t an rganizatin s web presence. Oracle Enterprise Gateway (OEG) is a sft-appliance XML gateway fr securing and managing applicatin and web access t an rganizatins web presence. 11

Oracle Identity Federatin (OIF) prvides standards-based identity federatin capabilities fr enabling SSO acrss websites. Oracle Security Tken Service (OSTS) is a WS-Trust cmpliant STS implementatin. An STS cnverts security tkens f varius types, enabling cmpatibility and trust acrss federatin bundaries. Oracle Entitlements Server (OES) is a fine-grained entitlements service that supprts a variety f externalized authrizatin mechanisms including XACML 3.0. Oracle Enterprise Single Sign-On (OeSSO) is a client-based SSO prduct that enables users t access web, client-server, and legacy applicatins thugh a single, strng authenticatin wallet fr authenticatin. Directry Services prducts Oracle Unified Directry (OUD) includes bth a highly scalable LDAP directry service based n Java and the Oracle Virtual Directry (OVD) prduct. See the sectin belw fr mre infrmatin n OVD. Oracle Internet Directry (OID) is a scalable LDAP directry service based n Oracle database technlgy. The Secret Sauce: Oracle s Middleware fr the Cntrls Platfrm The Oracle IdM platfrm is unique in its inclusin f middleware fr cnnectivity and security. In Oracle s experience with business applicatins, these technlgies are indispensible t a successful IdM deplyment. In the 11g R2 release, these technlgies are as fllws: Oracle Virtual Directry (OVD) enables efficient and elegant integratin t data surces. Oracle Entitlements Server (OES) prvides a scalable apprach t fine-grained entitlement cntrls, cntextual rle enfrcement, and run-time plicy evaluatin. Oracle Platfrm Security Services (OPSS) prvide develper access t essential security functins. Oracle Enterprise Gateway (OEG) enables SOA applicatins t establish an identity-based cntrl at the edge f enterprise netwrks. OEG als prvides REST-ful interfaces t the identity platfrm fr mbile applicatins. And when cmbined with Oracle Web Services Manager (OWSM) als adds encryptin, PKI, and related plicy cntrl t web services. OWSM secures and applies identity t SOA interactins. Fulfilling Critical Use Cases with the Oracle IdM Platfrm With this brad set f integrated technlgies, the Oracle Identity Platfrm enables rganizatins t deply all the use cases referenced in this paper. Fr example, the Oracle Identity Platfrm enables clsed lp access certificatin that is, the platfrm nt nly reprts n uncertified access, it als 12

helps t remediate any findings. The platfrm als cntinuusly maintains SD plicies while autmating access changes thrugh self-service, delegated admin, and access request wrkflws. The platfrm als enables rganizatins t manage access plicies glbally. The access pillar f the Oracle Identity Platfrm includes SSO fr legacy and Web applicatins, including ut-f-the-bx integratin with leading platfrms, databases, devices, and applicatins. Because f the cmmn management framewrk, rganizatins can view and manage user sessins in real time. The platfrm als includes risk-based cntrls ver access thrugh the Oracle Adaptive Access Manager (OAAM) prduct. With OAAM, rganizatins can perfrm device fingerprinting and assess security risks in real time. Fr example, rganizatins can cntrl access based n the lcatin f a cnnected device and the sensitivity f the transactin, cmbined with the behaviral patterns f the authenticated user. If the risk factrs appear high, access manager can require the user t perfrm a step-up authenticatin, use a ne-time-passwrd, r meet sme ther requirement befre permitting access. The fllwing figure shws hw Oracle s IdM platfrm fulfills sme f the critical use cases discussed at the beginning f this white paper in Figure 1. Figure 9: Oracle IdM prducts fill ut the architectural blueprint The three use cases identified in Figure 9 flw as fllws: 1. Clsed Lp Certificatin. T prvide a Clsed-Lp Certificatin prcess, identified as flw 1 in Figure 9, an emplyee first uses a self-service applet t request access privileges. The user s view f applicatins and entitelments is set by plicy in OES. OIA verifies that the request desn t vilate any Separatin f Duty (SD) vilatins based n the user s existing privileges. OIM then rchestrates varius wrkflws t cllect and recrd any requisite apprvals and then sets rles and privileges in the directry service and any cnnected systems affected by the change. Peridically, OIA can be used t reprt n the user s verall access, gather and recrd the apprpriate apprvals, and extend the user s privileges and revke any excess privileges. 13

2. Fraud Detectin. When a user attempts t access a web resurce, OAAM captures infrmatin prvided by the brswer, including MAC address, IP address, brwser type, etc. OAAM uses this device fingerprint and the assciated user authenticatin (prvided by OAM) t rate the risk f the transactin. If the risk scre is high, OAAM can require the user t prvide additinal infrmatin befre allwing access. Als, based n the risk scre and user infrmatin, OES prvides plicy n whether the user can access the target resurce. 3. Scial Netwrk Integratin. A user wh has authenticated t a scial netwrking site can use thse credentials t access certain lw-risk prtins f the rganizatin s website. Using scial federatin services prvided by OAM, the user can als use credentials frm ther sites t create a prfile n the rganizatin s site. Mdular and Best-f-Breed Oracle s platfrm apprach is funded n a lng-term architecture f mdularity, with best-f-breed cmpnents. Accrdingly, as Oracle cntinues t increase integratin amng its identity prducts, each prduct will deliver best-in-class perfrmance fr its categry. Oracle has already delivered n this prmise: with the 11g platfrm, Oracle s identity prducts are recgnized as market leading by Gartner and ther analyst firms. Oracle s platfrm apprach ensures that the benefits f using prducts in cmbinatin will be greater than in islatin, but Oracle builds n interdependencies int its identity prducts. Oracle s identity prducts are likewise built and tested t supprt a number f nn-oracle perating systems, applicatin servers, and IAM prducts. Many identity platfrm custmers use Oracle identity prducts in cmbinatin with ther vendrs infrastructures and applicatins. Oracle s stance n penness and mdularity isn t just gd fr custmers, it s critical t Oracle s business mdel as well. The nature f a cntrls platfrm is t be cnnected t all systems in the enterprise, including ther identity slutins. The pen apprach als takes advantage f cmmn skill sets required t perate the platfrm. And as Oracle mves tward a shared services architecture, where cmpnents f technlgy are reused amng prducts as apprpriate, the mdular apprach emerges as the superir architectural mdel. Supprt fr Open Standards The Oracle Identity Platfrm supprts all relevant standards, including LDAP, SAML, WS-Trust, WS- Federatin, XACML, OpenID, OAuth, and SPML. Oracle als cntinues t innvate in the standards cmmunity. Recently, Oracle spnsred JSR 351 t intrduce the ntin f identity int Java. Oracle als is participating in the IETF arund adding enterprise prfiles fr OAuth t enable mbile SSO. Oracle als prpsed standards fr pen authrizatin (OpenAz) and the Identity Gvernance Framewrk (IGF) fr attribute sharing. 14

Cnnecting t Third-Parties and t the Clud The identity platfrm ffers technlgies that make it easy t integrate with partners, suppliers, and clud services. The access technlgies supprt all the majr federatin standards, including SAML 1.x and 2.x, WS-Federatin, and OpenID. The access suite als includes a Secure Tken Service (STS), which enables tken exchange and trust brkering fr prpagating access and identity acrss applicatins and web services, and the OWSM prvides a WS-Trust 1.4 implementatin. Maturity and Scale All cmpnents f the Oracle Identity Platfrm are tested fr extreme scalability and reliability, supprting millins t hundreds millins f users. Oracle s platfrm is als engineered t supprt Oracle s Exadata and Exalgic platfrms, as well as Real Applicatin Clusters (RAC), fr database clustering, and Cherence, Oracle s in-memry data grid technlgy. These technlgies have prven t scale under heavy lad, with sub-secnd respnse times even at extreme scale. The 11g R2 release ffers all the trimmings f a mature prduct, including language supprt fr 28 languages, dedicated field and technical supprt persnnel, partner supprt amng majr and butique integratrs, and a large and active user cmmunity. Oracle has thusands custmers f its identity prducts in virtually every vertical and gegraphic market. Custmers als include ISVs that are replatfrming their custm slutins with Oracle identity prducts. Strng market supprt fr Oracle s IdM platfrm als prmtes the security and lngevity f the verall prduct. Because Oracle s access prducts have been battle-tested thrugh their presence n large Internet prtals, gvernment websites, financial services implementatins, and telecmmunicatins infrastructure, all custmers benefit frm the resulting refinements. Oracle als emplys hundreds f trained security experts t write and test the cde f each release. In additin, Oracle ffers security prducts fr a database firewall, SOA gateway, and data encryptin that custmers can use t secure the identity platfrm as well as netwrked resurces. All Oracle prducts are engineered t supprt n-premise deplyment as well as hybrid clud, private clud, and public clud mdels. The Oracle IdM platfrm is already being used fr Clud applicatins, including applicatins delivered thrugh Oracle Public Clud. As annunced at OpenWrld, the Oracle IdM platfrm supprts the fllwing cnfiguratins thrugh Oracle Public Clud: Platfrm as a service (Java, app server and DB) with all IdM prvided by Oracle IdM platfrm Sftware as a service (CRM and HCM) with all IdM prvided by Oracle IdM platfrm Unique enterprise IdM features: full delegated administratin and self service, bulk n barding, and custmizable UIs Many f Oracle s identity custmers are service prviders themselves, and as such they require high scalability, multi-tenancy supprt, and pen cnnectivity. Tday custmers are using existing versins f Oracle identity platfrm t supprt Clud requirements. Fr example, Oracle OnDemand hsts OAM, OAAM and OIF fr a large banking custmer. Oracle partners with Simei and Accenture hsts OIM/OIA fr custmers like their large clients. And partners like Sasktel have std up OIM as a Clud IdMaaS fr SMB and vertical market custmers. 15

Platfrm fr Develpers A key difference between pint prducts and platfrms is the develper API. A platfrm enables develpers t reuse and extend a cmmn framewrk, whereas pint prducts nly enable prgrammatic access t a limited set f functins related t the applicatin. The Oracle Identity Platfrm basts the mst functinal, versatile, and pen prgrammatic interfaces n the market. OPSS prvides extensive access t security features in the Oracle platfrm. The platfrm itself is based n Java, but develpers can take advantage f these features frm a range f APIs. Fr example, a mbile applicatin can use the REST-ful interface t authenticate and authrize access. OPSS als supprts a SOA interface. Develpers can similarly rely n the platfrm t execute plicies based n Business Prcess Executin Language (BPEL) and Extensible Access Cntrl Markup Language (XACML). And as develpers externalize applicatin security t a cmmn platfrm, rganizatins achieve the added benefits f centralized versight and administratin. Oracle Applicatin Develper Framewrk (ADF) enables user interface (UI) designers t quickly create pwerful user experiences. The identity platfrm is als integrated with Oracle Web Services Manager (OWSM), part f Oracle s SOA Suite. OWSM enables develpers t use standards-based methds t secure and identity-enable SOA services. Oracle s cnnectr framewrk includes tlkits and templates t simplify applicatin integratin fr mst leading infrastructure, platfrms, and applicatins. These cnnectrs can then be reused fr prvisining, passwrd management, privilege management, and identity analytics. Oracle s Cmmitment t IdM Despite strng verall market grwth, a large number f identity vendrs have been acquired r have exited the market. Other cmpanies have slwed their release cycles leaving custmers t fend fr themselves while waiting years fr new functinality. In cntrast, Oracle has made an unprecedented cmmitment t its identity prducts. Fr starters, Oracle s Fusin Applicatins including middleware and business applicatins rely n Oracle s IdM prducts fr authenticatin, authrizatin, and security services. Oracle Public Clud als uses the Oracle Identity Platfrm fr IdM features. Cnsequently, Oracle s internal requirements have helped t justify significantly greater investment than the cmpetitin and have allwed Oracle t prve ut the platfrm s architecture and capabilities internally befre releasing the platfrm t the market. Mre imprtantly, the Oracle Identity Platfrm is a thriving business unit within Oracle. With thusands f custmers wrldwide, dedicated sales and supprt teams, and duble-digit revenue grwth, the identity platfrm is a crucial cmpnent f Oracle Fusin Middleware. Platfrm Apprach with a Pay-as-Yu-Grw Pricing Mdel Oracle s Identity Platfrm is architected t supprt an rganizatin s grwth. Many custmers begin with a distinct prject and then evlve and extend their implementatin tward a brader and mre cmplete identity management slutin. This benefit extends frm prduct architecture t licensing. Oracle ffers flexible licensing ptins that enable grwth withut requiring detailed user cunting 16

and prvide the ability t mix-and-match prducts t address a brader variety f requirements and use cases, via suite licensing ptins. What s Next fr the Oracle Identity Platfrm? Oracle has already made significant prgress n building ut a platfrm fr identity and cntrls, and the path ahead is even mre ambitius. Oracle is extending the platfrm fr greater integratin with mbile devices, scial netwrks, and clud applicatins, and is cntinuing t refine the user interfaces fr administratr and end users. Simplificatin and Usability Oracle cntinues t refine the platfrm by ratinalizing the data mdel acrss the platfrm, imprving the user experience (bth fr administrative uses and end users), and simpler deplyment and manageability. The platfrm interface will sn sprt a simpler interface, with the experience based n familiar UI metaphrs such as catalgs and shpping carts. The UI will als be simple t custmize using drag and drp changes direly in the brwser n special design r engineering tls are required. Cmmn use cases like self-service passwrd management, access requests, delegated administratin, user certificatin, and wrkflw apprvals will als have a cmmn data mdel and UI. Oracle will als sn release a Privileged Accunt Management (PAM) cmpnent that will prvide secure checkin/ut f rt, administratr, and service accunt passwrds. Securing Applicatins n Mbile Devices Mbile cmputing is rapidly changing the applicatin landscape fr enterprises. As rganizatins wrestle with security and management repercussins frm a tsunami f mbile devices n their netwrks, the Oracle Identity Platfrm will make these devices a managed part f the enterprise netwrk. In 11g R2 Oracle added REST-ful interfaces t the identity platfrm, which will extend IdM features t iphnes, ipads, and Andrid-based devices. In additin, the platfrm prvides a Mbile SDK, which enables rganizatins t create their wn identity-aware applicatins that can be distributed using the Apple s App Stre. The REST-ful interfaces and the Mbile SDK will prvide mbile applicatins with cmmnly used IdM capabilities including passwrd management, yellw & white page lkups, and wrkflw apprvals. The Oracle Identity Platfrm will t cntinue t grw its supprt fr REST-ful interfaces and mbile applicatins. Clud Oracle als cntinues t enhance supprt fr clud cmputing thrugh the identity platfrm. Oracle is extending its prvisining cnnectr framewrk t supprt multiple clud and n-premise envirnments. Thrugh the ESSO prduct, Oracle will als ffer federatin t the desktp with prebuilt templates fr Clud prviders and multifactr authenticatin. Enterprises will sn have the ptin t use the platfrm as a full enterprise-grade SaaS ffering fr user, rle, and request management as well as authenticatin services. And the platfrm will sn bast tighter integratin amng its Web Access Management (WAM), federatin, Security Tken Service (STS), entitlements 17

service, and adaptive authenticatin cmpnents t deliver high perfrmance and scale fr cmplex authenticatin and authrizatin schemes. Cnclusin The rapidly changing business envirnment is frcing rganizatins t rethink their IdM strategy. Research has shwn that a department level, pint-prduct apprach is cstly and ineffective due t lack f integratin, gaps in security, and restrictins in scpe and scale. What is needed is a platfrm apprach that serves the immediate security and cmpliance needs while prviding an extensible and secure fundatin fr a lng-term enterprise IdM strategy. Oracle s IdM suite f integrated, secure, and highly scalable prducts meets these requirements, and psitins frward thinking enterprises fr success as they enable their users t take advantage f clud applicatins and mbile devices. Fr mre infrmatin n Oracle s IdM platfrm, see www.racle.cm/identity as well as blg psts n blgs.racle.cm/oracleidm. 18

Oracle Identity Platfrm March 2012 Authr: Mike Neuenschwander Oracle Crpratin Wrld Headquarters 500 Oracle Parkway Redwd Shres, CA 94065 U.S.A. Wrldwide Inquiries: Phne: +1.650.506.7000 Fax: +1.650.506.7200 racle.cm Cpyright 2012, Oracle and/r its affiliates. All rights reserved. This dcument is prvided fr infrmatin purpses nly and the cntents heref are subject t change withut ntice. This dcument is nt warranted t be errr-free, nr subject t any ther warranties r cnditins, whether expressed rally r implied in law, including implied warranties and cnditins f merchantability r fitness fr a particular purpse. We specifically disclaim any liability with respect t this dcument and n cntractual bligatins are frmed either directly r indirectly by this dcument. This dcument may nt be reprduced r transmitted in any frm r by any means, electrnic r mechanical, fr any purpse, withut ur prir written permissin. Oracle and Java are registered trademarks f Oracle and/r its affiliates. Other names may be trademarks f their respective wners. AMD, Optern, the AMD lg, and the AMD Optern lg are trademarks r registered trademarks f Advanced Micr Devices. Intel and Intel Xen are trademarks r registered trademarks f Intel Crpratin. All SPARC trademarks are used under license and are trademarks r registered trademarks f SPARC Internatinal, Inc. UNIX is a registered trademark licensed thrugh X/Open Cmpany, Ltd. 1010