On October 17th, I posted a short blog and a
podcast interview with Chirag Andani, talking about how Oracle IT uses its own
IDM products. Blog link here.
In response, I
received a comment from reader Jaime Cardoso (
[email protected])
who posted:
“- You could have
talked about how by deploying Oracle's Open standards base technology you were
able to integrate any new system in your infrastructure in days.
- You could have
talked about how by deploying federation you were enabling the business side to
keep all their options open in terms of companies to buy and sell while
maintaining perfect employee and customer's single view.
- You could have
talked about how you are now able to cut response times to your audit and
security teams into 1/10th of your former times
Instead you spent 6
minutes talking about single sign on and self provisioning? If I didn't knew
your IDM offer so well I would now be wondering what its differences from
Microsoft's offer was.
Sorry for not giving a
positive comment here but, please your IDM suite is very good and, you simply
aren't promoting it well enough”
So I decided to send Jaime a note asking him about his
experience, and to get his perspective on what makes the Oracle products
great. What I found out is that Jaime is
a very experienced IDM Architect with several major projects under his belt.
Darin Pendergraft:
Can you tell me a bit about your experience? How long have you worked in IT, and what is your IDM experience?
Jaime Cardoso: I started
working in "serious" IT in 1998 when I became Netscape's technical
specialist in Portugal. Netscape Portugal didn't exist so, I was working for
their VAR here. Most of my work at the time was with Netscape's mail server and
LDAP server.
Since that time I've
been bouncing between the system's side like Sun resellers, Solaris stuff and
even worked with Sun's Engineering in the making of an Hierarchical Storage
Product (Sun CIS if you know it) and the application's side, mostly in LDAP and
IDM.
Over the years I've
been doing support, service delivery and pre-sales / architecture design of IDM
solutions in most big customers in Portugal, to name a few projects:
- The first European
deployment of Sun Access Manager (SAPO – Portugal Telecom)
- The identity repository
of 5/5 of the Biggest Portuguese banks
- The Portuguese
government federation of services project
DP: OK, in your
blog response, you mentioned 3 topics:
1. Using Oracle's standards based architecture; (you) were
able to integrate any new system in days: can you give an example? What systems, how long did it take, number of
apps/users/accounts/roles etc.
JC: It's relatively easy
to design a user management strategy for a static environment, or if you simply
assume that you're an <insert vendor here> shop and all your systems will
bow to that vendor's will. We've all
seen that path, the use of proprietary technologies in interoperability
solutions but, then reality kicks in. As
an ISP I recall that I made the technical decision to use Active Directory as a
central authentication system for the entire IT infrastructure. Clients,
systems, apps, everything was there.
As a good part of the
systems and apps were running on UNIX, then a connector became needed in order
to have UNIX boxes to authenticate against AD. And, that strategy worked but,
each new machine required the component to be installed, monitoring had to be
made for that component and each new app had to be independently certified.
A self care user
portal was an ongoing project, AD access assumes the client is inside the
domain, something the ISP's customers (and UNIX boxes) weren't nor had any
intention of ever being.
When the Windows 2008
rollout was done, Microsoft changed the Active Directory interface. The Windows
administrators didn't have enough know-how about directories and the way
systems outside the MS world behaved so, on the go live, things weren't
properly tested and a general outage followed. Several hours and 1 roll back
later, everything was back working.
But, the ISP still had
to change all of its applications to work with the new access methods and reset
the effort spent on the self service user portal. To keep with the same
strategy, they would also have to trust Microsoft not to change interfaces
again.
Simply by putting up
an Oracle LDAP server in the middle and replicating the user info from the AD
into LDAP, most of the problems went away. Even systems for which no AD connector existed
had PAM in them so, integration was made at the OS level, fully supported by
the OS supplier.
Sun Identity Manager
already had a self care portal, combined with a user workflow so, all the clearances
had to be given before the account was created or updated.
Adding a new system as
a client for these authentication services was simply a new checkbox in the OS
installer and, even True64 systems were, for the first time integrated also
with a 5 minute work of a junior system admin.
True, all the windows
clients and MS apps still went to the AD for their authentication needs so,
from the start everybody knew that they weren't 100% free of migration pains
but, now they had a single point of problems to look at.
If you're looking for
numbers:
- 500K directory
entries (users)
- 2-300 systems
After the initial
setup, I personally integrated about 20 systems / apps against LDAP in 1 day
while being watched by the different IT teams. The internal IT staff did the
rest.
DP:
2. Using Federation allows the business to keep options open for buying and
selling companies, and yet maintain a single view for both employee and
customer. What do you mean by this? Can you give an example?
JC: The market is dynamic. The
company that's being bought today tomorrow will be sold again. Companies that
spread on different markets may see the regulator forcing a sale of part of a
company due to monopoly reasons and companies that are in multiple countries
have to comply with different legislations.
Our
job, as IT architects, while addressing the customers and employees authentication
services, is quite hard and, quite contrary. On one
hand, we need to give access to all of our employees to the
relevant systems, apps and resources and, we already have marketing talking
with us trying to find out who's a customer of the bough company but not from
ours to address.
On
the other
hand, we have to do that and keep in mind we may have to break up all
that effort and that different countries legislation may became a problem with
a full integration plan.
That's
a job for user Federation. you don't want to be the one who's telling your
President that he will sell that business unit without it's customer's database
(making the deal worth a lot less) or that the buyer will take with him a copy
of your entire customer's database. Federation enables you to start controlling
permissions to users outside of your traditional authentication realm. So what
if the people of that company you just bought are keeping their old logins? Do
you want, because of that, to have a dedicated system for their expenses
reports? And do you want to keep their sales (and pre-sales) people out of the
loop in terms of your group's path?
Control
the information flow, establish a Federation trust circle and give access to
your apps to users that haven't (yet?) been brought into your internal login
systems. You can still see your users in a unified view, you obviously control
if a user has access to any particular application, either that user is in your
local database or stored in a directory on the other side of the world.
DP:
3. Cut response times of audit and security teams to 1/10. Is this a real number? Can you give an example?
JC: No, I don't have any backing for
this number.
One
of the companies I did system Administration for has a SOX compliance policy in
place (I remind you that I live in Portugal so, this definition of SOX may be
somewhat different from what you're used
to)
and, every time the audit team says they'll do another audit, we have to negotiate
with them the size of the sample and we spend about 15 man/days gathering all
the required info they ask.
I
did some work with Sun's Identity auditor and, from what I've been seeing,
Oracle's product is even better and, I've seen that most of the information
they ask would have been provided in a few hours with the help of this tool. I do stand by what I said here but, to be
honest, someone from Identity Auditor team would do a much better job than me
explaining this time savings.
Jaime is right: the Oracle IDM products have a lot of
business value, and Oracle IT is using them for a lot more than I was able to
cover in the short podcast that I posted.
I want to thank Jaime for his comments and perspective. We want these blog posts to be informative
and honest – so if you have feedback for the Oracle IDM team on any topic
discussed here, please post your comments below.
