One of my Oracle colleagues - Pat Shuff wrote a write-up on "Build vs Buy". Since he was focusing on an IdM evaluation - I thought I would chime in how I would have proposed the "value-add" plus some thoughts on the criteria as it is considered in different environments.
The genesis of this was - "They wanted to write a solution that presents a custom image or
challenge word embedded in the html to prevent a man in the middle
attack. This technology is used by many of the larger banks because it
has been mandated for financial data. They want to use the technology
for human resources data. It makes sense because they need to protect
social security numbers."
Now I think Pat may have shot himself in the foot by over simplifying the problem as shown here:
"What didn't make sense was that they wanted to build their own solution
for this rather than purchase one that already exists. The technology
isn't complex. It does require some java or asp code, a database, and a
way of injecting the image into the authentication screen. This is
effectively what CAS does without the custom images. It would be a
simple step to change CAS to support the changing images or pass
phrases but challenging to present a floating keypad or keyboard.
Oracle provides this with the Adaptive Authentication Manager. This
product provides the floating keyboard, challenge questions, and custom
images as well as a risk analysis tool. I don't want to get into the
detail of the product because you can find it yourself."
To catch everyone up - CAS (Central Authentication Service) is a very simple SSO system, popular in higher-ed. For full disclosure - I used to be very deep into CAS back when I was at WebCT. CAS is more similar to Oracle SSO than it is to an actual Web Access Management solution like Oracle Access Manager (OAM) or CA Siteminder.
If I had been Pat - I would emphasize the following that Oracle Adaptive Access Manager (OAAM) provides as true value-add & that is not easily "self-coded".
- OAAM provides secured authentication using combination of elements. At simple level it allows user to enter their credentials (username/password) via a visual keyboard. This keyboard has several security measures applied to it to help deter phishing. It is a user-chosen image (from a set of images provided by the server - not user uploaded). It contains a time-stamp and a self-chosen keyword. And the image slightly shifts everytime it is reloaded (either for new session or if user mistypes password). And all of this information is stored for auditing.
- More importantly OAAM additionally provides adaptive risk management rules - these rules allow customers to determine "risky" behavior and do something about it. Risky behavior could include things like IP addresses from suspect locations, time of day, client types, etc. Actions can be "stop request" with some type of follow-up. The follow-up could be something like "only allow user to continue if they answer one of their security questions" to "email customer service and have them call back to customer".
Neither of these - in particular the risk analysis is very easy to do. More importantly - in particular the risk analysis - you want to gain the advantage of having your risk database to be able to account for as wide range of risk analysis - which can only be done via collaborative effort. In this case that collaborative effort would occur through feedback from customers which then feeds OAAM development.
I would also gather that neither option would necessarily deter the developers at the customer. After all you want smart people who have confidence to build just about anything. That is the core of a good developer. However - the CIO or VP who is making the decision has to evaluate the risk/reward of doing this.
Hopefully they would begin to see the Oracle Identity & Access Management products as suite of tools that allow them to take risk of maintaining security code within the organization itself. And let the experts deal with it. While at the same time making it easy for application developers to leverage that expertise.
That is the core of our concept of "application-centric" security.
As for those hotshot developers - hopefully their manager would recognize if they had the talent to do something like OAAM - they could be working on something that would really help the organization differentiate themselves in the market and not redo something that isn't at the core of the business.
Of course if those hotshot developers really wanted to come work on cool security stuff and make the world (online world anyway) a safer place - they should drop me a line.
