Some Answers To Questions On Building Identity Enabled Applications

James McGovern asked more questions including this.

"- Virtual Directories: What role should a virtual directory play in an
Identity metasystem? Should virtual directory be a standalone product
in the new world and simply be a feature of an STS? If an enterprise
were savage in consolidating all directory information into Active
Directory, why would I still need virtualization?"

[MEW] I think my answers from our last exchange answer this question.

Now are the rest of the questions:

"protocols:Nowadays, the folks over at the Burton Group such as Bob
Blakely, Dan Blum and Gerry Gebel have put together the most wonderful
XACML interoperability events. The question that isn't addressed is if
I am building an enterprise application from scratch, should I
XACML-enabled, think about integrating with STS, stick to traditional
LDAP invocation or something else?"

[MEW] Most enterprise architects are familiar with how abstract security using features that range from official standards like JAAS to de-facto standards like Apache modules to various application frameworks (including .NET and ACEGI) that facilitat this. And then encourage implementers of such entities to support XACML. Oracle (and BEA) have demonstrated XACML support and we're building support for it into our future products.

"Entitlements: One missing component of the discussion is
authorization and their is somewhat too much focus on identity.
Consider the scenario where if you were to ask my boss if I am still an
employee, he would say yes as he hasn't fired me yet. Likewise, if you
ask him what are all of the wonderful things I can access within the
enterprise, he would say that he has no freakin clue, but as soon as
you figure it out, please let him know. Honestly, even in my role,
there are probably things that I can do but shouldn't otherwise have
access to. So, the question becomes how come the identity conversation
hasn't talked about any constructs around attestation and authorization?"
[MEW] Oracle Role Manager is explicitly designed to help solve the problem of determining what enterprise roles there are, translating those into IT roles which then result in system privileges. It then integrates with a provisioning system (like Oracle Identity Manager) so that access is maintained based on hire/termination/change-of-enterprise-role status. Additionally Oracle Adaptive Access Manager (OAAM) provides for a risk-based access control solution that can authorize actions based on your context and environment (e.g. you normally only try to pay move money between 7-9pm EST from IP address but if suddenly you get a request to do this at 5am from an IP in outer Elbonia, it can do wide range of activities such as requiring you to call a phone number and answer security questions to help verify it's you).

"Workflow: Have you ever attempted to leave a comment on Kim Cameron
blog? You will be annoyed with the registration/workflow aspects. The
question this raises in my mind is what identity standards should exist
for workflow? There are merits in this scenario for integrating with
the OASIS SPML standard, but I can equally see value in considering
BPEL as well."
[MEW] I don't think this is a standards problem as much as a usability problem. For example compare mobile web life before iPhone to after the iPhone. Prior to iPhone - mobile web was usuable but painful because of multiple-clicks. One of the really great things of iPhone/iPod Touch is not that it has Safari (though it helps) but being able to put commonly used Web apps in reach of a single-click (which happens to be a touch). Both systems use the same core standards (HTML and Hyperlinks) just one is more usable than the other. Personally, I think SPML or BPEL is fine, but they are really focused on what happens after you hit the Submit button. The UI component of the workflow is going to be driven by other standards (such as in 11g SOA TP4 preview we can use convert BPEL Human Workflow tasks  to ADF Task Flows which can help make it easier to have a usability guru work their magic).

"Education: Right now the conversation regarding identity is in
the land of geeks and those who are motivated to read specifications.
There is a crowd of folks who need things distilled, the readers digest
version if you will. Traditionally, this role is served by industry
analysts such as Gartner and Forrester. What would it take for this
guys to get off their butts and start publishing more thoughtful
information in this space?"
[MEW] Nobody wants to read specs. I've probably read more identity specs than almost anyone on the planet and I hate reading them. This is why we at Oracle are focused on application-centric security and security as a service. Developers and applications should just be able to depend on calling an API or service & have it "Do the Right Thing".

"Conferences: When do folks think that the conversation about
identity will occur at other than identity/security conferences? For
example, wouldn't it have been wonderful if Billy Cripe, Craig Randall and Laurence Hart where all talking about the identity metasystem in context of ECM?"
[MEW] Why would they want to talk about identity at their conference? After all I bet they don't talk about any other core service component at their conferences either - meaning when was the last time they talked about DNS? It's just not something they want to care about and frankly, they shouldn't care about. This is the core of Oracle Security As A Service concept - developers learn to leverage identity as a service and use proper API calls (e.g. the biz dude says "only managers can access this document" so the developer makes a standard API call that leverages a policy service that in effect says " if (userIsInRole("manager")) { fetchDoc(x)}") then applications won't be maintaining their own identity information and there won't be a need for wondering why ECM conferences don't talk about identity.


Post a Comment:
  • HTML Syntax: NOT allowed



« April 2014