Talking Identity

I'm back after a short (much needed) hiatus, and so there are a few things I wanted to catch everyone up on.

In my last post, I told you of a webinar that I was going to participate in on the topic of application-centric IdM. Well, it happened, and was a pretty well received webinar. It was in the form of a panel discussion, and we got so engrossed in it that we went a little over time. So we didn't get the chance to answer as many questions as we would have liked. If you weren't able to attend the webinar, then check it out now by accessing the replay of the webinar: Leveraging Identity Management for Applications. And please send your questions my way. I will make sure to direct them to the right individuals.

Also, Oracle recently put together an interesting podcast series entitled "Focus on Identity Management". In it, some of the smartest people at Oracle working on IdM talked about some fairly interesting topics, like fine-grained authorization, attestation, virtual directories and standards. And of course, yours truly made his podcasting debut with a little piece on (you guessed it) application-centric IdM. The whole experience was quite interesting. Check out the series by going to www.oracle.com/identity and accessing the podcasts that are under the "Video and Podcasts" section on the right.

On a different note, it turns out that I will have to rename my blog, as Stephen Brands over at Credentica has a blog with the same name. And (unfortunately for me), he has had it for a much longer time. In an interesting coincidence, it turns out that Speakers Corner in Hyde Park was the inspiration for both of us to name our blogs the same. As it stands, I am officially searching for a new name. If you have any ideas, send them my way.

Inspired by the Daimler-Chrysler series of ads around the enigmatic Dr. Z, I am starting a new series in my blog called "Ask Dr. K" (you'll find a link to that section on the right under Site Navigation). This is also a play on the fact that some of my colleagues mockingly refer to me as Dr. K around the office (presumably more to do with my constantly espousing IdM around the office, and less to do with any real claim to solve problems that I can make).

In this series, I will posting answers to some of the more interesting questions that are coming my way, both from within Oracle and externally. If you would like to ask a question, send it my way by emailing me.

The first question in the series is an interesting one posed by one of our guys on an internal mailing list, trying to make sense of the myriad of IdM products we have here at Oracle.

It seems like there is a fine line between how one defines directory synch. and provisioning.  Provisioning seems more rules and mapping based while plain synch. (i.e. DIP or other metadirectory engines) appears to be more of a one to one activity with less intelligence and no workflow. I'd like to hear everyone's thoughts on this.

Dr. K says:
On the surface, there seems to be quite a bit of overlap between the two. After all, the primary function of both systems is to move around data. The main difference that I see is that directory synchronization is an IT solution, while provisioning is a business solution.

Directory synchronization can be viewed as a loose way to link directories. It exchanges data between directories, providing various levels of integration and control. It can enable two directories to stay in sync by sharing information between them, or it can maintain data synchronization between a directory and some external data source (e.g. an HR System database). The focus is on the data, and it is usually practical only where the data and schemas of the two directories are similar, and data can be mastered in both. The rules and filters governing synchronization are usually technical in nature

Provisioning approaches this same problem from a business solution perspective. It provides human interface tools for requesting access, workflow capabilities, role-based decisions, and business and security policy management. It deals with ad-hoc situations, and supports a myriad of business capabilities like reporting, attestation and SoD management - capabilities that directory synchronization tools are not geared towards.

So, when trying to solve the business problems of identity management, go for a provisioning tool. When trying to solve a technical problem around data management, go for a directory synchronization tool.

Next week (actually, starting Saturday) is Oracle OpenWorld, Oracle's annual conference dedicated to helping enterprises understand and harness the power of information. From what I hear, it is going to be huge, and San Francisco is already starting to look Oracle red, with banners and signage everywhere. I have never been to an OpenWorld conference before, so I am really looking forward to the experience.

This year, there will be a decent number of sessions on Identity Management during the conference, where different areas of IAM will be explored. It reflects how important IdM has become to Oracle's middleware business, and the sessions should be very interesting. Of course, all the products will be on display at the demo booths, and executives will be available to discuss why Oracle is the best (of course). And I am especially looking forward to the keynote by Thomas Kurian.

Warning: Blatant self promotion follows.

Yours truly will be talking at two sessions. The first one will be an open talk about role management and provisioning (Session S281675: Role Management and Provisioning: Creating Economies of Scale in Identity Management). The second one will be more of a visionary dialogue centered on  (what else) application-centric IdM, and identity-enabling business applications (Session S281669: The Oracle Identity Services Container: Identity-Enabled Applications Made Easy). While the title may be a little misleading, it essentially picks up where the webinar left off a few weeks ago, providing more detail about how Oracle's unique approach to IdM will transform the way applications are developed and deployed. Since this vision is being developed in conjunction with our customers and partners, the goal of the session is to share findings so far, and continue the discussion that has been driving our work in the area. If you feel up to it (the session is at 9:30 in the morning, not by my choosing), attend the session and share your thoughts.

For more information, go to www.oracle.com/openworld. Hope to see you there.

The last few days, I have been experiencing the spectacle that is OpenWorld. And what a spectacle it is. Howard street is blocked off, covered by a huge tent. Everything, even buses, are painted Oracle colors, and every signal change at the intersection lets loose a sea of people rushing around trying to get to the keynotes and sessions. Watching 42,000 people moving around in the 3 blocks that make up Moscone Center is quite a site.

The keynotes have been interesting and informative. At his keynote today, Larry Ellison announced the availability of Unbreakable Linux from Oracle. He also celebrated the 20th anniversary of Oracle getting listed on the Nasdaq as a public company by ringing the closing bell from the keynote hall. Yesterday, Thomas Kurian gave a really good keynote describing how all of fusion middleware, including identity management, is coming together to help enterprises streamline their business operations. It helped lay the foundation for all the middleware sessions that followed, ranging from discussions on SOA adoption to IdM strategies and best practices.

This morning I participated in a session describing how role management and provisioning, when used together, can help make IdM a manageable, scalable solution for enterprises. What I would have liked to have said was unfortunately way too much to fit into the one hour time slot we were given. Sid Choudhury, a product manager in our IdM team, went on to describe the role management reference architecture that we at Oracle are proposing. This reference architecture builds on some of the concepts that I have touched upon in previous posts, and lays the foundation for what enterprises should be thinking about as they go about planning their role management deployments. The architecture diagram is given below (click on it to see a bigger version).



In a future post, I will discuss some of the questions we received at the end of the session.

Thursday, I had a session on Application-Centric Identity Management, describing how it will change the way applications are built. Despite the early hour of the session, a few brave souls did show up, which was quite gratifying. While the session flew by, I did have some interesting conversations with a few of the attendees.

In the session, I laid out the initial design of the Identity Services Framework, which Oracle is working on as a manifestation of the ideas behind application-centric IdM. It describes a framework that allows IdM to be deployed as enterprise infrastructure, consumable by applications that are trying to become identity-enabled. I discussed the kind of identity services that comprise the ISF, some of which were not immediately intuitive as services. During the course of the few days at OpenWorld, I had quite a few discussions about the ISF, its complexity, applicability and general viability in the marketplace. I will try to bring some of these ideas to light through some future postings.

Below is the high-level diagram of the ISF, as presented at OpenWorld. As always, click on the image to see a bigger version.



As always, looking forward to talking about this with all of you.

Those interested may have noticed that last week I rebranded my blog to its new name - Talking Identity. Thanks to all those that gave me suggestions (even the ones given sarcastically). Hopefully this resolves any conflicts that arose with the previous name I had chosen.

The name reflects what I hope to do through my blog, namely engage with the identity community in a discussion about identity and identity management.

I have also registered the url www.talkingidentity.com, so you can use that as well when trying to get to my site.

Stay tuned for more...