Thursday, October 23, 2008

Part 2 of my conversation with Amit Jasuja from Oracle

I mentioned yesterday that I spoke with Amit Jasuja, Oracle's Vice President of Development for their Identity Management Product Suite. This is the follow up post to part 1, which focused on Oracle Adaptive Access Manager (OAAM). In this post, I'll cover some of the other things we discussed.

It's probably a good idea to point out that we discussed some roadmap items and even though Amit didn't remind me that items on a roadmap are not guarantees that functionality will make it into the planned release, I'll do Oracle the favour of mentioning it on their behalf. I used to have to do this all the time so I'm aware of the drill :-)

Apart from discussing OAAM, I revisited some of the questions I asked Oracle President Charles Phillips when I met him earlier this year (because Charles didn't really answer them completely) and Amit obliged.

Essentially, part of the strategy for Oracle's overall software stack (particularly Fusion Middleware) is to have everything be "hot pluggable" with their Identity Management suite. But let me take a step back for a moment. Like many other large vendors out there, Oracle's been pushing an open strategy around Service-Oriented Architectures (SOA) and the fact that all their products will eventually support the ability to leverage (and underpin) an enterprise service bus (or whatever buzzword you feel like using). One of the main benefits in doing so is to allow for a vendor agnostic architecture where organisations aren't "locked in" to specific products (note that the industry is a long way from this being a reality despite all the hype). There are other benefits but that's a topic for another day.

The organisations arguably making the most noise around SOA are IBM and Oracle. But Oracle is making more noise (and it seems progress) around the notion of Enterprise Identity Services (Nishant Kaushik in particular seems to be spending lots of time on this) and Amit was quick to point out that the Identity Management group will be keeping with the strategy of openness while being mindful of having to show the value Oracle's products can provide over their competitors. In short, most of Oracle's software will eventually be built to support the use of SOA-like interfaces thus allowing for interoperability with competitive solutions (assuming the likes of IBM, CA, Sun and Novell build products that support the relevant standards for the relevant use cases). It will then be up to Oracle to convince organisations that even though they could use a competitor's product, Oracle's Identity and Access Management suite is the best option because of additional benefits. Amit mentioned some examples like certified support for the Identity Governance Framework (which I should point out was originally an Oracle initiative but has since been submitted to the Liberty Alliance to carry forward) and perhaps things like "quick start" initiatives with pre-built policies for use with Oracle software.

It's great to see Oracle's strategy is to make all their software "play nice together" while being open at the same time. In reality however, the sales teams will sell whatever combination of products that will fit into a customer's budget. If they have to drop products out of the solution proposal to bring it under budget, they will. It's just how the sales teams work, especially if their numbers aren't 100% tied in to Oracle Identity and Access Management software sales :-)

We also briefly touched on various pieces of the Identity and Access Management suite being "pre-baked" into other Oracle software products (e.g. there's a lot of work being done to embed Oracle Virtual Directory within other products) before moving on to exploring Oracle's relatively new Entitlements Server (OES), itself a prime candidate for being embedded within other products. I didn't want to focus on functionality because I already knew about it at a high level. I was more interested in where Oracle's headed with the product from a strategic standpoint.

The obvious direction is to have OES be the fine-grained authorisation engine for just about everything, but Oracle's software stack is HUGE. In other words, it's not an easy task (even if they go with the SOA approach) and I don't think it's going to happen very quickly. Knowing this, I shifted the focus purely to the Identity and Access Management products and their use of OES to externalise authorisation. The answer: yes, but not yet. I used Oracle Identity Manager (OIM) as an example and Amit told me that the plan is to allow for the externalisation of OIM authorisation policies to OES in the next release (e.g. delegated administration settings). He did note that OIM can already provision to OES out of the box (I would have been VERY surprised if that wasn't the case).

Finally, we moved on to speaking briefly about Governance, Risk and Compliance (GRC) that controversial "catch all" three letter acronym. I wanted to know Oracle's plans around identity-centric GRC. If you aren't familiar with the whole GRC thing, I've written about it in the past so have a quick read and then come back.

As it stands today, Oracle's GRC product is much more focused on the financial and enterprise governance (and compliance) aspects and is hooked into their Finance, ERP and CRM applications. In terms of Identity Management and compliance however, we tend to hear a lot more about identity and user account focused access controls, attestation and segregation of duties (SoD). The products in this area receiving the most press of late are SailPoint's IdentityIQ and Aveksa's Compliance Manager.

Oracle's GRC product doesn't actually compete in the identity-centric GRC area (at least not directly). But in light of Sun's very recent launch of its Identity Compliance Manager and Novell's entry into this space through their Access Governance Suite (which is actually Aveksa re-branded via an OEM agreement), I wanted to know if Oracle had any plans to expand their GRC offering to address identity-centric compliance.

Amit's answer was that Oracle does in fact have plans to do this and they are looking at expanding the capabilities of the existing GRC product instead of building a brand new one. This essentially means that the GRC product will get additional features and hooks into the Identity and Access Management suite and vice versa. This includes things like building on the existing attestation capabilities of OIM and supporting the ability to deal with SoD policies through mining existing user entitlements and also using preventative measures (like CA will have once they finish integrating the features of the recently acquired IDFocus product).

Despite Amit almost calling me a journalist on the call, I'm far from one. What I'm trying to say is that I didn't really take any notes. I just spoke to him about a topic I find very interesting and now I'm writing about it. Hence if any of you in the Oracle community (Nishant? Clayton? Mark? Anyone else?) want to confirm, deny, correct or add to any of this (or part 1) feel free to do so via the comments. If not, we'll all just take everything I've said as fact and hold product management to my claims :-)

Ultimately, talking about plans which make a lot of sense means very little other than to communicate intentions. They key will be how Oracle executes and how quickly they do it. Otherwise, they might as well be telling us they want to put a guy on Jupiter.

No comments: