Content of Figures
In the age of digital transformation, not only the requirements for IT but also the way IT is done, are continually evolving. To remain relevant, organizations must reinvent themselves by being agile and more innovative. Emerging technology initiatives such as the digital workplace, DevOps, security automation, and the Internet of Things continue to expand the attack surface for organizations as well as introduce new digital risks. To stay competitive and compliant, organizations must actively seek new ways of assessing and managing security risks without disrupting the business. Security leaders, therefore, have an urgent need to constantly improve upon the security posture of the organization by identifying and implementing appropriate controls to prevent such threats.
Identity Governance and Administration (IGA) concerns the capabilities in the IAM (Identity and Access Management) market that broadly deal with end-to-end identity life-cycle management, access entitlements, workflow and policy management, role management, access certification, SOD risk analysis, reporting, and access intelligence. A self-service user interface allows for requesting access, profile management, password reset, and synchronization. Configurable connectors, either cloud-native or based on gateways back to on premises environments, offer automated user provisioning to both on-premises as well as SaaS applications.
As IGA becomes a vital security risk and management discipline directly impacting the security posture of any organization, a lack of basic IGA capabilities can leave organizations exposed to risks originating from inefficient administration of identities and access entitlements, poor role management, and a lack of adequate auditing and reporting. These risks range from identity thefts to unapproved and unauthorized changes, access creeps, role bloating, delays in access fulfillment, orphan roles, and accounts, SOD conflicts leading to occupational and other internal frauds. Several incidents in recent past have emphasized the need to have better IGA controls for organizations of all sizes across all industry verticals.
IGA also refers to the increasingly integrated Identity Provisioning and Access Governance markets. Where Identity Provisioning focuses on tasks related to administering access fulfillment and entitlements throughout an identity life-cycle, Access Governance provides necessary (mostly self-service) tools for business to manage workflows and access entitlements, run reports, access certification campaigns and SOD checks. Access intelligence is the analytics layer over Identity Provisioning and Access Governance that offers business-related insights to support effective decision making and potentially enhance governance.
In recent years, Privileged Access Management (PAM) has increasingly become associated with IAM. PAM has evolved into a set of technologies used to prevent security breaches and credential thefts by identifying, securing, and managing privileged credentials and the resulting access across an organization’s IT environment. Future trends may show a convergence of IGA and PAM in the market as seen by IGA vendors partnering more with PAM vendors, or building PAM capabilities directly into their IGA solutions, although PAM capabilities in these instances may be limited.
2 Product Description
Oracle is a leading provider of identity management and database security, as well as cloud service capabilities offered by the Oracle Cloud Infrastructure (OCI). And in an age where greater emphasis is placed on regulatory compliance and risk management, identity governance is becoming an increasingly critical piece of an organization's security portfolio. Oracle addresses this need through its Oracle Identity Governance (OIG) offering.
Oracle Identity Governance (OIG) is available on the Oracle Cloud Infrastructure (OCI) marketplace as part of the Oracle Identity Management solution. OIG leverages cloud native technologies, such as cloud native tools, installs, and deployments, to drive the customer compliance use cases for the enterprise. OIG can also manage user access privileges to an organization’s resources throughout the identity management lifecycle in an automated way.
OIG key capabilities cover identity lifecycle, access requests, and certification, Role Based Access Controls (RBAC), Segregations of Duties (SOD), with applied analytics reporting that can identify which users have access to what resources. This KuppingerCole Executive View focuses on the Oracle Identity Governance within IDM 12c and Oracle's most recent enhancements to its product offering.
Oracle Identity Governance has streamlined their application on-boarding process. What had taken Oracle 11g technology stack customers mulitiple process step as well as in-depth Oracle technical training to on-board applications, now take only a few steps and requires much less technical training. OIG now uses a self-service wizard-based UI. Groovy transformation scripts, as well as bulk-onboarding and REST APIs can also be used for the more technically savvy administrators or DevOps.
Some other key features includes automatic discovery that can detect data types or attributes from the database, for example. Schema discovery for flat files or databases helps to eliminate manual configuration. Flat file reconciliation of connected targets as well as connector cloning and job scheduling is also available.
Role Lifecycle Management
Many of Oracle’s customers are managing identity lifecycles through the provisioning of roles to assign rights and privileges and reduce entitlement expansion due to the number of applications they have to deal with. To support customers, OIG adds role discovery and lifecycle management.
With OIG, role discovery looks at existing roles and their access to automatically give customers suggested functional roles to use for a given collection of related access rights. This also helps with certification in that it gives approvers the tools needed to determine if a given user should have specific functional roles.
With OIG 12c, a more business-friendly self-service UI is available, in which different lines of business can gain role insights and author policies before submitting the policy for review and going into production.
In the effort to simplify the role lifecycle management, OIG also gives the ability to collect all existing administrative access grants or even requests for access and coverts them to role-based grants. Another feature example of role lifecycle management is a role mining capability in OIG that was previously only available in Oracle Identity Analytics (OIA).
As a governance tool, OIG provides considerable certification capabilities. Options enabled by the certification review process include being able to sort pending certifications by the percent complete, group reviewing support, and custom access reviewer that determines who reviews what. Other features include the ability to focus a certification review by building the certification campaign based on the entitlement’s certification organization, selecting high-risk entitlements outside of roles, excluding access assigned through roles, or filtering on catalog meta-data (UDF) to help categorize entitlements and roles.
OIG provides REST APIs for user self-service use cases giving both web and mobile clients the ability to provide a better user experience. OIG capabilities available through their APIs include the ability to conduct certification reviews via a mobile device, access request lifecycle, search available access catalogs, view user accounts, roles or entitlements, pending approval state, and other user self-service tasks such as registration, forgotten password, etc.
Oracle Identity Governance has accumulated a great number of connectors that cover both on-premises and cloud use cases. Connector categories include many traditional target systems, hybrid such as Fusion Applications (FA) and Oracle Identity Cloud Service (IDCS) connectors, as well as technology-related connectors to web services, DBAT, or scripting tools. Listed below are some of the most common SaaS application connections available:
- Google Apps
- Office 365
- Oracle Content and Experience Cloud
Some noteworthy security enhancements in Oracle Identity Governance 12c include JWT tokens for SCIM/REST interfaces, addition of TLS 1.2 ciphers, the replacement of file-based keystores by a key store service (KSS) for stronger key management, as well as the ability to customize request headers and origin whitelist.
Deployment Models and Management
The OCI marketplace publishes the IDM image and provides an automated provisioning, install and configuration workflow. The number of step required to get OIG up and running has been significantly reduced in 12c, and it has an improved user interface which facilitates this.
OIG can support multi-cloud IDM instances to work with multi-cloud workloads. Oracle provides a cloud native experience for lifting and shifting workloads or current deployments to the cloud while preserving the customization of policies and other installation configurations.
Cloud native packaging of existing technology stacks and their configurations using Docker images is also possible, which makes for easier deployments to cloud environments. The use of Kubernetes from Oracle is available as well as the ability to use other Kubernetes providers such as Microsoft Azure. Since OIG is built upon Oracle Cloud Infrastructure (OCI), Terraform's infrastructure-as-code software is available to define the infrastructure resources and maintain its state for use when building out the cloud infrastructure required for your services. The use of containers, Kubernetes and Terraform not only apply to Oracle’s cloud, but it can also be applied on-premises for IDM and OIG deployments. Their cloud native capabilities includes dependency layering, lifecycle management, logging, monitoring and network policies. An IDM command line interface (CLI) that works with any cloud provider to orchestrate provisioning, installs, and configurations is also given.
3 Strengths and Challenges
Oracle Identity Governance (OIG) 12c provides many improvements over the previous versions in the areas of more simplified application on-boarding, deployment, and improvements on their access policy and certification process capabilities. It should be an attractive solution to existing Oracle customers since it’s tightly integrated with other Oracle business products.
Arguably, one limitation is that Oracle Identity Governance, or in extension to the Oracle Identity Management solution, is that’s it’s designed to support the Oracle database only as part of the core infrastructure of the IDM solution, and this may not change soon due to its reliance on Oracle’s core DB technologies.
There are many enhancements in OIG 12c that continue to improve the customer and end-user experience, making it more automated and in the end, simply easier to use than previous versions. Existing customers of 11g should experience an improved upgrade experience moving to this latest release. Application onboarding has become much simpler with OIG 12c by hiding the complexity that comes with the Oracle technology stack and allowing automatic discovery of database schema and data types to help with the configurations. Role Lifecycle Management with its role discovery, and more business-friendly policy UI.
Although RBAC is provided, a more dynamic authorization model is not. Options for certification reviews has increased. Also, exposing OIG self-service APIs makes it easier to extend its capability to other web and mobile use cases.
Oracle’s support for cloud native tools such as Docker, Kubernetes, Teraform, and the introduction of their CLI that can be used by other cloud providers for provisioning, installs, and configurations gives customers a more modern environment in which to work.
Overall, Oracle shows that they listened to their customers and provided the Identity Governance tools that they needed in a much simpler, straightforward, and automated way. For new or existing customers of Oracle IDM, Oracle Identity Governance (OIG) 12c is certainly worth considering.
4 Related Research
Executive View: Oracle Data Safe – 80076
Executive View: Oracle Identity Cloud Service - 80156
Leadership Compass: Identity as a Service (IDaaS) IGA - 80051
Leadership Compass: Infrastructure as a Service – Global Providers - 80035
Whitepaper: Oracle Identity Cloud Service: Identity for Business Applications in the Hybrid IT - 80155