Oracle said it is pushing a new security framework
to help companies better protect sensitive employee, customer and partner
information exchanged through applications.
Ping Identity, Securent, CA, Novell and Sun Microsystems are joining Identity Governance Framework (IGF), an effort Oracle is spearheading to fill a void in security standards.
IGF addresses what happens once data gets into corporate applications,
making it a complementary spec to basic identity management standards, such
as Liberty’s Identity and Web Services Federation (ID-WSF) and OASIS’s
Security Assurance Markup Language (SAML) (define).
Oracle hopes to take IGF to a standards body such as
W3C, OASIS or the Liberty Alliance, for further development at a time when
Web security is a huge area of concern for corporations concerned about
meeting federal regulations requiring stringent privacy policies.
IGF is crucial for meeting compliance rules and elementary security
requirements, according to Amit Jasuja, vice president of development for
security and identity management at Oracle.
To date, specifications from the Liberty Alliance, Higgins Project and
Microsoft enable businesses to gather personal data from customers and
bring it safely into the enterprise system for use among partners, suppliers
But Jasuja said those efforts do not address the problem of what happens to
user data when it gets inside corporate applications.
Nobody is tracking which application the personal data, which can include PINs, Social Security numbers or even credit card and bank account
information, ends up in and whether that data is being used
appropriately and by authorized personnel.
“Everyone of these applications has information about employees, customers
and users that is basically being handled by developers and DBAs — people
who aren’t necessarily security experts,” Jasuja told
“Because of the wide range and number of these systems, it is impossible for
information security officers to get a handle on who’s doing the right thing
and who’s not.”
For example, a patient’s medical history should only exist as a contract
between the patient and the primary care physician, not to a nurse
practitioner or insurance broker.
Today’s ID management specs fail to offer that wall between users; IGF aims
to remedy that gap, Jasuja said.
This is a major issue, Jasuja said, because only 20 percent of
identity-related data resides safely in a corporate directory; the remaining
80 percent resides in applications for finance, human resources or customer
This potential security hole must also be filled because of the
preponderance of federal regulations that require corporations to keep
sensitive data locked up.
Inconsistencies can mount in applications, which can put information at risk
and unnecessarily trigger privacy violations, which can become a security
officer’s worst nightmare in the face of an audit.
IGF offers a standard way for corporations to define policies to securely
share sensitive personal information between applications and identity
Through a system of “contracts” between applications and identity data
sources, Jasuja said IGF will help companies control how
ID-related data is used, stored and propagated across several systems in a
IGF includes four key components, including two new markup languages.
Client Attribute Requirement Markup Language (CARML) is an XML-based
contract defined by application programmers that informs deployment managers
and service providers about the attribute usage requirements of an
Attribute Authority Policy Markup Language (AAPML) is a set of policy rules
regarding the use of ID-related information from an identity source that
allow these sources to place constraints on the use of ID data by
The CARML API (define) will let developers write applications that
consume and use ID data based on policies set by the AAPML.
Finally, the identity service is a policy-secured service for accessing ID
data from multiple identity sources.
Now that Oracle has taken the standard public, the next logical move is to
submit it to a standards body for further development at a more public
Rolling IGF into a standards body should also make the specs more appealing
to Oracle rivals that may be hesitant to join the effort because the
software giant is its chief architect, Jasuja said.
For example, Jasuja said that some of the vendors Oracle invited to join
IGF are taking a wait and see approach, including Microsoft, IBM and
BEA Systems, are reticent to come aboard because Oracle
is fueling the framework.
He also said Oracle is looking at the W3C, OASIS and Liberty Alliance among
others as potential homes for IGF.
In the meantime, Jasuja said Oracle is also inviting additional vendors and
customers to review and contribute to the key draft specifications.
“The whole governance model is seamless and is something that can be
developed across the board,” Jasuja said. “We hope that once we make the
initiative within a standards organization, more people will join it and
collaborate on this.”
Sun’s vote is for IGF to be tucked into Liberty, where it is a prominent
“Sun supports its submission to a standards body and thinks the Liberty
Alliance may be best, as it is a natural and essential evolution of the work
already done within that organization,” said Don Bowen, director of identity
integration for Sun.
Oracle has come on strong as a security software provider in the last two
years, acquiring Oblix,
Thor Technologies and
OctetString for Web single sign-on, provisioning and virtual directory
Article courtesy of internetnews.com