SecurityNewsletter.com : Would you say the market consolidation is over in I&AM's short history ?

Christophe Bonenfant, Oracle: We've seen major players position themselves as providers of technological tools. They brought the support capabilities needed to sustain such a critical infrastructure I&AM has become. So we can say the market took a first step toward a consolidation indeed. Oracle for example leveraged this consolidation to get a full product line extending from I&AM to GRC (Governance, Risk & Compliance).

We acquired for example Bridgestream in 2007, which offers a role management and a role mining tool. Bridgestream allows us a more functional approach in role management. We also bought LogicalApps (GRC, Governance, Risk & Compliance). Then there was Bharosa, whose acquisition brought us strong authentication and Risk Management functionalities. Bharosa's offering actually targets more specifically e-commerce websites and online banking, but we saw a tremendous potential in other areas of I&AM as well. We just need to educate the market about them !

But I would not say this is over yet. There are other technologies to be acquired, like advanced role segregation within enterprise applications, or role mining.

SecurityNewsletter.com :  If the technological pieces & bits have yet to be integrated, does this mean I&AM isn't mature yet ?

Identity and Access Management is technologically mature. We can handle large scale deployments of webSSO, provisioning, identity federation projects and so on. And we can prove it. The products are there, they are stable for production use and the people are trained.

Now I feel what's missing is Role Management. This, indeed, might still be immature. RBAC (Role-Based Access Control) has shown its limitations and is not up to the new flexibility and accountability requirements enterprises ask for. Most projects end up dealing with only a few technical roles or become so complex that they are axed. We've seen some projects were they were more roles defined than users within the enterprise.

So, while technologies are mature, it will still be some time before enterprises are able to fully deploy and take advantage of them, especially in the provisioning and role management departments. Those are true security assets but they are harder to deploy, needing a stronger integration with the business logic. They require a great understanding of both business processes and governance (role management, credentials, audit). 

I&AM projects will be mature when they will be designed with the same level of thought than CRM or HRM projects, when the very essence of roles will be in the fabric of the organization, and when a crisis won't be the only time the enterprise wants to map its users and roles. On all those items, we feel customers maturity needs to increase before they can handle I&AM. It's hard to find an I&AM manager even in major corporations, someone whose responsibility would be to serve as a bridge between users activity (security, HR, Finance, business applications) and the IT department.

Besides, enterprises seldom embrace I&AM governance. This leads to a low adoption rate and very few, to none, adaptability to the company's future needs. 

SecurityNewsletter.com : How to set apart the many offers on this market when they actually are made of the same technology layers ?

The difference can't be made upon technology alone, nor its functionalities. At Oracle, Identity Management is seen as part of bigger GRC (Governance, Risk & Compliance) strategy. This includes data and documents protection, identity and access control, and also rights management within the business applications. All those functions need to work together to help manage risk and regulation compliance for the enterprise. 

To our customers the difference will most likely be in how the vendor's vision aligns with their global security policy. For example some of our customers use Peoplesoft for HR, eBusiness Suite as their Finance ERP and Siebel for CRM. Oracle brings them identity management functionalities that tie with those applications all at once, and our roadmap shows plans to integrate those in our Oracle Fusion Applications architecture. 

To me, standing out in this market is mainly a matter of a business applications driven strategy and a top-down approach (from the application to the infrastructure). It's also important to focus on GRC integration and to be open to SOA (Identity as a Service, for example).

SecurityNewsletter.com : Apart from technology, what do you make of consulting in the I&AM industry ?

Identity Management consulting has long be a matter of a small number of niche specialists. They often have a very deep expertise on one part of I&AM, generally coming from an initial expertise in the infrastructure. But now that I&AM is closer to GRC, mainstream consulting players move more easily to I&AM. Companies like Deloitte, Protiviti or Ernst & Young appear especially on SOA or compliance bids.

Several other players are more versed in the architecture (Arismore, Octo Technology, Unilog Management). And we work quite closely with players like Cap Gemini, Steria, Business & Decision or BT, because they can do consulting as well as integration work in both business applications and security.

Besides, and because we are well aware of the organizational challenge I&AM can be, Oracle developed specific resources within its consulting group to help customers plan their project and align their needs and the solution, in a more organizational approach.

SecurityNewsletter.com : Who are Oracle's partners for I&AM ?

Our main global partners are Accenture, BT, Capgemini, Deloitte, EDS, KPMG, PWC and Wipro.

SecurityNewsletter.com :  What do you make of standards like WS-Security, Liberty Alliance and all ?

Some of those did make it in the core services of I&AM infrastructures. I'm thinking about LDAP and DSML to access LDAP directories, SAML (1.0 and 1.1) for cross-websites authentication, WS-Security for web services security, WS-Federation for identity federation within Microsoft Active Directory, or even SPML for provisioning, although it's not as mainstream as the others. And Liberty Alliance also starts to take a central role in advanced federation scenarios and it's used in public sector and the telco industry.

But those standards are not mature enough to be part of a fully integrated Identity Service in a SOA way. They still need to be complemented with others, like online identity attributes definition or access rights definitions for those attributes. Oracle does contribute to help define those next standards.

SecurityNewsletter.com : In closing, what market and technology evolution do you see, and what is Oracle's roadmap regarding to this evolution ?

We do feel identity services will eventually be directly and natively consumed by business applications. That's why Oracle got a solutions portfolio spanning from the applications to the middleware.

Thus our rodmap is structured to leverage that vision : we offer today a good integration of Oracle and SAP applications, but also in more exotic areas like the Service Desk, for example through BMC's Remedy.

Our roadmap plans for functional evolutions in user interfaces, fine grain authorization, better GRC integration (Oracle GRC, SAP Virsa...), better reporting and management through the use of solutions like Oracle BI Publisher, and of course the integration in our solutions of Role Management, Role Mining and Risk Management.

We'll also be focusing on our Identity Services Framework, to help standardize interfaces between business applications and identity services, and normalize the middleware with BPEL.