Talking Identity

Intrigued? The guys over in our Directory Services group (part of Oracle Identity Management) have just come out with a new offering which has a doozy of an acronym, even by Oracle standards. OAS4OS stands for Oracle Authentication Services for Operating Systems, software that greatly simplifies the authentication and account management process of Unix and Linux servers. It was available previously in preview mode, and that too only for Linux. This first generally available release adds support for all major flavors of Unix and Linux, including Oracle Enterprise Linux, RHEL, SLES, Sun Solaris, IBM AIX and HPUX.

The OAS4OS offering integrates Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) with a suite of tools and scripts to create a centralized identity and authentication store that slips in neatly into the PAM modules of these operating systems. As a result, you get:

• Centralized administration of user accounts across the entire Unix/Linux environment
  
• Single Sign-On across both enterprise applications and the Unix/Linux environment
• Powerful password policy capabilities
• Simplified management of the deployment
  

All resulting in better security and compliance. So say farewell to the (not so good) old days of local account management on the OS itself, and to insecure file-based mechanisms of provisioning accounts to NIS, all of which gave compliance officers headaches.

While it was possible to address this before using a similar approach, OAS4OS takes all the manual migration efforts, the guesswork and the expertise required in LDAP and PAM technologies to do this, and wraps it all up into a neat, easy to deploy package.

There are a number of helpful links in the press release, so check them out.

The ever thought-provoking Pamela Dingle has issued a challenge to Enterprise Application vendors. In it, she puts forth the idea that technology and market demand has reached the point where those in the business of building and selling enterprise applications should (must?) figure out how to externalize authentication. But she also points out what has held off vendors from doing this already:

"In talking to your fellow vendors, I can almost feel the panic - you can't possibly support all of the new technologies coming out, you aren't even supporting technologies that are years old - how do you choose?"

That sentence captures in a nutshell the need for Identity Services, and why those of us in the IdM industry would do well to develop this vision. Externalizing identity is all about providing application developers reusable services that are independent of the underlying provider of those services. That will enable, as Pam puts it, vendors to "set up your application so that the customers can write their own identity front-end integrations".

Authentication and Authorization are definitely at the forefront of this revolution in application development, mainly due to the ratification of decent standards in this area (like SAML and XACML). But there are many more facets to identity that need to escape from the application black box.

Oracle, as an application vendor with its large suite of enterprise applications and its full stable of IdM products, is faced with this same issue, probably more so than any other vendor. It is a question that has produced many hours of hallway discussions and burnt up the conference lines (I wouldn't want to see that phone bill). Oracle is tackling this issue head on, as should be evident from today's announcement (and Thomas Kurian's keynote) at RSA unveiling our strategy for Service-Oriented Security. SOS covers the four stages of an application lifecycle - development, deployment, administration and governance. With SOS, organizations can now centralize and externalize security solutions as part of a flexible security architecture. Recent identity related efforts like the Identity Governance Framework are also part of this architecture, providing the ability to deliver privacy-aware applications.

The vision for Identity Services that I have been (passionately) talking about on this blog and in conferences is part of this larger view of an application's lifecycle. In fact, the IdM team has just published a whitepaper on Identity Services to accompany this announcement, to which I contributed a lot of the content that I have been developing and presenting in my talks. If you are up for some interesting reading, download and check out the whitepaper. And as always, send your comments on the ideas and thoughts my way. I would love to hear your views on the vision.