Securing Identity From Inside the App

Getting nervous about that personal data floating around your enterprise applications? A new identity management initiative, led by Oracle, aims to address a missing link in the effort to protect identity data from falling into the wrong hands, specifying how it's handled among different applications in an enterprise.

Oracle, along with Computer Associates, Sun Microsystems, Ping Identity, Securent, Layer 7, and Novell, today released a new set of draft identity management specifications that define policies for how organizations securely share and store personal data among their applications. The so-called Identity Governance Framework (IGF) lets enterprises set policies for things like how applications request for and provide Social Security numbers, for instance, data which is typically housed in multiple apps across an organization, leaving it prone to security and privacy breaches.

"Companies are struggling with the changing nature of security threats and identity theft," for example, says Amit Jasuja, vice president of development, security, and identity management at Oracle. "Identity-related data, not just username and password, but your age and Social Security number are all stored in various application repositories. And it's giving CISOs a headache trying to govern all that data."

The IGF is the latest in a series of identity management efforts such as the Liberty Alliance Project and the Higgins Project, as well as Microsoft's InfoCard technology. Jasuja says the goal is for IGF to work in conjunction with these efforts as yet another piece of the identity security puzzle.

But this is still no panacea for stopping identity theft or the compromise of that sensitive information, security analysts say. While the IGF goes a long way to specify the policies of handling identity data among applications and automating those policies, the wild card is what users actually do with the information, industry analysts say.

"In the end, governance is a human process," says Bob Blakley, principal analyst with the Burton Group. No matter how well the apps are tuned, you still can't control what people do with identity data, he says.

The IGF does help, however, by providing a standard way to request and move data among applications, for instance. "There's nothing out there like this today," Blakely says. "But it has very little to do with governance -- governance is the internal procedures of an organization that makes sure information is handled properly."

Conspicuously missing from the group of vendors are IBM and Microsoft. Oracle's Jasuja says he hopes the two will eventually join the effort. "We've got critical mass at this point with Oracle, Sun, Novell, and CA."

So how will IGF fit in with all the other related identity efforts?

Oracle's Jasuja says the Liberty Alliance, Higgins, and Microsoft's InfoCard identity management technology are focused on how identity data is collected from the user and brought into the enterprise. "That's first mile -- how did I get this data and capture all the privacy attributes," he says. "We'd like to broaden this to once the data is in the enterprise, and starts to make its way out of repositories and systems and into business applications. How is that information being managed and used in the enterprise?"

IGF also encompasses data being exchanged among different organizations' apps, such as a travel service booking a flight with an airline on behalf of a user/traveler.

The IGF specifications will support OASIS' Security Assertion Markup Language (SAML), the standard for exchanging authentication and authorization data between security domains. "They are very complimentary. SAML and the Liberty Alliance's specs talk about assertion and identity information exchange between companies," Jasuja says.

IGF consists of two main specifications. The first is Client Attribute Requirement Markup Language (CARML), which defines what an application specifies for information on a user, such as whether it uses the last four digits of his or her SSN, for instance. "It's all about the application telling the enterprise, this is what I need from you: the last four digits of your SSN, or the account number of a customer in a bank," Jasuja says.

The second spec, Attribute Authority Policy Markup Language (AAPML), defines policies and restrictions on usage of data, such as "you can use the SSN number, but only if the user with that SSN is the one logging in and requesting that data," he says. IGF also has an API for CARML and an identity service spec.

Jasuja says the group is currently trying to find a home in one of the standards groups for the specs. And that may well be the Liberty Alliance, according to one member of the IGF initiative. "Our desire is to move this initiative into the Liberty Alliance quickly so that a broader spectrum of users and developers can work on the specs," says Bill Smith, director of Software Standards at Sun Microsystems.

— Kelly Jackson Higgins, Senior Editor, Dark Reading