Wednesday, October 22, 2008

Part 1 of my conversation with Amit Jasuja from Oracle

For those that are unaware, Amit is Oracle's Vice President of Development for their Identity Management Product Suite.

I tried to catch him during his last visit to London but our schedules didn't allow for it. This time, it hasn't quite gone 100% to plan either as I'm not available on the day he's in London this week. So we had to make do with a chat on the phone today while he's in Prague for the Burton Group Catalyst Conference. And before anyone asks, yes Oracle PR set up the call. I'm not one to turn down interesting conversations about Identity Management.

Naturally the topic of conversation was related to all things Oracle, particularly their Identity Management products. Top of the list of topics was Oracle's release of the new version of their Adaptive Access Manager (OAAM) product. To his credit, Amit let me take the conversation wherever I wanted.

I did actually start by asking about OAAM, given how little I knew about it (never having seen it in action). This blog post details the part of our conversation that was focused on OAAM. We spoke about other things as well, which I will write about in a follow up post.

I'd only read about OAAM through articles, data sheets and whitepapers. Oracle's whitepapers are actually pretty good compared to the other large vendors as they give away quite a lot of information. Others tend to release short, crappy whitepapers that don't say a lot so you're forced to speak to their sales reps in person if you want to learn anything.

I didn't want to focus on the press release because to a person who doesn't know a great deal about a product (i.e. me), being told about new features is pretty useless. My aim was to understand OAAM a little better. So I started by asking how Oracle positions OAAM against Access Manager (OAM), and Entitlements Server (OES) (which they got via the BEA acquisition earlier this year).

Oracle sells their products much like other large vendors. They go with a solution approach and then figure out which products fit the specific customer requirements. Oracle does this by using an "Access Management Suite" umbrella, under which they slot OAM, OES, Oracle Identity Federation and to a certain extent their Enterprise Single Sign-On (ESSO) offering (which is actually Passlogix re-branded via the OEM agreement).

The other bits and pieces I just mentioned are as you would expect: OAM does web access management and course-grained access control (just like the other large vendors), OES does fine-grained access management and is very much focused on programmatic controls and SOA (with a big dose of XACML), Identity Federation does all the Federated Identity stuff (SAML, Liberty, WS-* etc.) and ESSO does desktop single sign-on.

OAAM on the other hand, is another animal altogether. None of the other large vendors have a product like it (I wrote about the Bharosa acquisition last year) and it does do a lot of useful things (assuming it works as prescribed). Amit mentioned that OAAM is typically implemented by organisations that are looking to address fraud or simply want more than prescriptive, static, course-grained access controls that the standard web access management products provide.

OAAM does this via behavioural analysis based on risk scoring. I don't know how sophisticated the policies can get but the key is that it does this in real time based on a multitude of factors including the meta-data around the user's persona, session details, contextual information and historical aspects of the user's known actions. For example, if a person typically puts through a trade once a week of a value around $1000 and they suddenly do multiple trades on a single day, each of a value greater than $5000 then this could raise a flag or even prevent the actions. There are obviously thresholds and a bunch of policies that need to be implemented to make this happen and I'm under no illusions that it's the easiest thing in the world to do.

Amit was also correct in pointing out that people have to be careful when implementing these policies because you can potentially get lots of false positives and will have to spend time tuning them. This is something I'm quite familiar with from my time spent in data security. Whenever there are a bunch of contextual factors in play, you will no doubt get false positives. If you don't manage it properly, you will get LOTS of false positives effectively rendering your solution useless.

The thing that surprised me was that it also takes into account the information you're dealing with, not just identity and session information. I'm talking about the business data, which allows for more data-centric policies (something that is sorely lacking in many access control environments). Of course, I'm a bit biased in this respect because thanks to my time in data security, I now think everything should be related back to data in some way instead of being based on static, reactive access controls. In other words, I think real-time security controls need to take identities, context and data into account. Again, Amit did warn against balancing the data-centric stuff against performance. The more in-line data you watch for, the slower OAAM is going to get.

OAAM does have more features than I've mentioned (including additional authentication mechanisms you won't find in stock standard web access management products) but I don't work for Oracle so I won't go through all of them. If you're really interested, go read the supporting materials.

I still think there's more that could be done to improve the product. They've only scratched the surface of sophistication that one could have in performing data-centric, identity and context aware controls based on real-time behavioural analysis. But it's a decent start towards making access control more pro-active instead of the traditional reactive measures we've had to implement in the past. Most importantly, it's something the other large vendors don't have (but would love to be able to whip out in a sales situation). So for now, Oracle can wave it around in the faces of the competition.

I should stress once again that I have yet to see it in action so I can't speak for its reliability, ease of implementation or that it does everything Oracle says it can do. But as the saying goes: "in the kingdom of the blind, the one-eyed-man is king" :-)

I'll write about the other things we spoke about in a follow up post.

1 comment:

chuck said...

Hi Ian
Great article...
I do want point out, that other vendors also offer risk based authentication solutions integrated with their web access management and entitlements management products. Essentially, access controls can be defined on any resource based on the context of authentication. Contextualized authorization is gaining ground with customers as they can provide different levels of access to the same user based on the risk associated with authentication.

Although, large vendors position multiple products as a solution, customers are pushing back asking for a soluion instead of many products - one for web access manager, another for federation, yet another for risk based authentication and entitlements management and so on with very minimal integration between them. At a minimum, I'd think that web access management, entitlements management and federation would collapse into a single product tied to a risk based authentication solution.

Chuck