Content of Figures
Most organizations now have a hybrid IT environment and a cloud first approach to choosing new applications. While this provides many benefits it also creates challenges around management, security and administration. Managing identity and access in a consistent manner across all IT services, irrespective of how they are delivered, is key to meeting these challenges.
Cloud services together with mobile communications provide rapid access to the latest data and applications from any device and from any location. It has become easy to try a new service before widely deploying it and this improves business agility while reducing risks. The cloud service provider becomes responsible for managing many of the time-consuming tasks involved in delivering the service and this frees IT resources to concentrate on delivering business value. However, the customer remains responsible for their data, wherever it resides, and however it is processed.
The cost of failing to adequately protect data can be very high. New regulations across the world are increasing the penalties for failure to protect personal data. For example, the EU GDPR (General Data Protection Regulation) sets the penalties for failure to protect the privacy of the personal data of EU residents at up to 2% or 4% of the organization’s global turnover depending upon the nature of the breach.
The responsibility for security in the hybrid IT environment is shared between the customer and the service provider. Where an organization has a hybrid IT environment with IT services from multiple cloud vendors as well as on premises how these responsibilities are shared can be very complex. Most cloud service providers implement very strong security controls for the services they provide and consequently many security breaches originate from failures by the customer. Most involve a failure to properly set or protect access controls or credentials. Since cloud services are inherently open to access from the internet, incorrect or missing access controls and poorly protected credentials are a major risk. Managing these risks effectively is essential.
The hybrid multi-cloud IT environment creates new identity and access management challenges. When IT was delivered on premises, identity and access management could be centralized and controlled in one place. This supported standard workflows for on-boarding and off-boarding employees as well as job changes and for the auditing and governance of activities and access rights. However, the tools providing these capabilities for on premises IT services do not usually cover the cloud.
Employees can decide to use cloud services without any controls - creating the problems of unsanctioned access. Cloud Access Security Brokers (CASB) provide a partial solution to this but are not enough. To manage access to sanctioned cloud services the organization must set controls within each service and how this is done should be integrated with the existing on premises processes, workflows and tools. Furthermore, cloud services from different vendors provide different controls, tools and interfaces increasing the complexity of this management.
In order to meet these problems, organizations need a more effective way to manage identities, implement access controls and govern access rights. This must provide a consistent approach to support the processes and workflows involved, irrespective of the service being used while also being scalable to meet the challenges of digital transformation. It must also coexist and integrate with existing on premises Identity and Access Management (IAM) processes and tools since it is not practical to rip and replace these.
Identity as a Service (IDaaS) provides a solution to these challenges by delivering traditional IAM services as a cloud service. IDaaS solutions offer cloud-ready integrations to extend an organization’s IAM controls to meet the security requirements of their SaaS portfolio. From a business perspective, IDaaS enables organizations to manage and control access to a diverse range of cloud services in a consistent manner, securely and with lower costs.
From a user perspective, IDaaS makes it easier to get access to the data and applications that they need from whatever device they are using and wherever they happen to be. By providing single sign-on they don’t need to remember multiple account credentials. Common policies and administration help to limit risks from excessive privileges or outdated access rights to applications.
IDaaS vendors originate from different backgrounds and their abilities to support different IDaaS use-cases can vary significantly. The capabilities served by most IDaaS vendors can largely be grouped into three categories. Identity Administration - the capabilities required by organizations to administer the lifecycle of identities. Access Management – capabilities ranging from authentication, authorization, single sign-on and identity federation for both on-premises and SaaS applications delivered as a cloud service. Access Governance – capabilities for auditing and enforcing compliant access entitlement are the least mature and largely absent from the portfolio of most IDaaS vendors.
As well as replacing traditional on-premises deployments for workforce IAM, IDaaS is becoming an enabler of Consumer Identity and Access Management (CIAM) by offering the required availability and scalability. With IDaaS now dominating new IAM purchases many use-cases across the industry verticals, traditional IAM vendors are gearing up to deliver more cohesive IDaaS capabilities as part of their security services, including tighter integrations with Cloud Access Security Broker (CASB), Enterprise Mobility Management (EMM) and User Behaviour Analytics (UBA).
2 Product Description
Based in California, Oracle, the leading provider of database management and enterprise resource planning software, has introduced Oracle Identity Cloud Service (IDCS) as its IDaaS service to deliver identity administration and access management capabilities from the cloud.
Oracle Identity Cloud Service provides a fully integrated service that delivers all the core identity and access management capabilities through a multi-tenant cloud platform. It provides a set of hybrid identity features to maintain a single identity for each user across the services that they use on-premises and in the cloud and to provide a seamless user experience.
2.1 Oracle Identity Cloud Service Overview
Oracle Identity Cloud Service (IDCS) is intended to meet the needs of organizations in a range of typical use-case scenarios. These include hybrid IT (allowing both on-premise and cloud resources to be secured from a single set of controls), mobile access (providing sign on for native or browser-based apps), employee-facing intranet and customer-facing extranet solutions.
The service is implemented using a microservice architecture that is aligned with Cloud principles of Scalability, Elasticity, Resilience, Ease of Deployment, Functional Agility, Technical Adoption and Organization Alignment.
Oracle Identity Cloud Service provides the functionality needed for several use cases including on premises apps as well as SaaS.
2.2 IDCS for SaaS
Identity Cloud Service provides single sign-on, adaptive multi-factor authentication and automated, role-based identity lifecycle management for a wide range of Oracle SaaS and third party SaaS applications.
Oracle SaaS customers get pre-integrated and certified single sign-on and identity lifecycle management using IDCS. Oracle Fusion HCM customers can use the HR-driven identity on-boarding capabilities to on-board new hires. They can use the meta-directory capabilities to map attributes and use expressions to compute new values. They can define role membership rules based on user attributes and grant SaaS entitlements to these users. Administrators can automate the entire joiner-mover-leaver business process enabling users to get frictionless access to apps.
Role Administrators can configure role-based access by assigning apps to roles and configuring coarse and fine-grained access using entitlements synched from the SaaS App. SaaS Administrators can handle exception use cases by manually granting entitlements to users. Administrators can get full visibility into the overall process, success and failures.
2.3 Zero Trust
Identity Cloud Service enables customers to implement zero-trust identity and access management for on premises and mainframe apps with the help of:
Application Gateway - this is a software appliance that can run in a virtualized or containerized environment. It enables resource-based authentication and authorization for web and programmatic (OAuth) resources. Customers can use the Gateway to secure access to on-premises workloads like E-Business Suite, PeopleSoft, Hyperion, SAP or custom applications that use HTTP Headers or cookies, as well as cloud-based workloads running on compute services that can support containers.
It provides in depth integration with Oracle Business Applications with pre-defined templates for JD Edwards, Retail, Peoplesoft, and the Oracle eBusiness Suite.
The Gateway leverages IDCS as the central authentication, authorization and policy definition point and acts as the policy enforcement point for one or more applications. It uses NGINX, one of most popular reverse proxy servers in the industry, and Oracle Linux as the platform. It makes use of a scalable cloud-based caching and policy engine which enables customers to define fine-grained authorization policies, and configure strong session controls to enable regulatory compliance. As part of the policy enforcement actions, customers can make use of IDCS Adaptive Multi-factor authentication to enforce strong, application-centric, context-based policies.
Provisioning Gateway - this is a lightweight agent that enables customers to:
- Integrate with over 60 enterprise applications including mainframes
- Develop custom integrations using the Identity Connector and SCIM.
The Provisioning Gateway's security approach ensures that no firewall ports have to be opened for it to function and customers need only provide the minimum by way of credentials and permissions to ensure that IDCS is able to communicate with the target application and to provide administrators with a complete view of their on-premises and cloud-based workloads.
Pluggable Authentication Module (PAM) - Customers can use the PAM module to secure access to their on-premises and cloud applications. By integrating the PAM module with IDCS Adaptive MFA, customers can implement strong, context-based security to ensure that administrators can access the workloads while reducing the risk of credentials.
2.4 IDCS Integration with on-premises Identity Management
Customers with a hybrid IT service delivery model can use the pre-built integrations with Oracle Access Manager (SAML, Open ID Connect), Oracle Identity Manager (OIM) and Oracle Internet Directory. Customers can use OIM's access request and provisioning capabilities to manage cloud-based apps which use IDCS.
2.5 IDCS and Adaptive Authentication
All the previously described functionality can make use of the Adaptive MFA capabilities in IDCS. This makes use of a measure of risk that can be provided by external risk score providers, such as CASB, and can also be computed based on the user's past behavior, device information, geo-location and velocity and IP reputation. Additionally, customers can define policies that look at how the user authenticated (which IDP and level of assurance), network zones and users' group memberships.
2.6 IDCS and API Security
APIs are the foundation on which customers implement digital business initiatives, develop modern business applications and open up new business opportunities. The success of these efforts depends on securing these APIs. IDCS provides customers an identity-aware, policy-based API security platform. Customers can use OAuth and Open ID Connect to define and secure APIs. They can define custom claims to enrich tokens for information exchange and token policies to control when tokens are issued, to whom and with what characteristics. IDCS integrates with API Gateways and API platforms like Oracle API Cloud Service, API Gateway and other 3-party API Gateways. Security administrators can monitor token issuance and revoke tokens with immediate effect when abnormal incidents occur. IDCS and Oracle Web Application Firewall can protect APIs against denial of service, botware and other threats providing a complete API Security solution.
3 Strengths and Challenges
Oracle Identity Cloud Service provides a solution that will be very attractive to existing Oracle customers. It is tightly integrated with other Oracle business products as well as Oracle security products such as Oracle CASB, Oracle Access Manager, Oracle Identity Manager (OIM) and Oracle Internet Directory.
It provides a comprehensive range of functionality for multiple real-life use cases. These include not only access to cloud SaaS services but also access to applications delivered through the increasingly important hybrid on premises / multi-cloud environment. The ability to integrate with and to coexist with on-premises identity management tools is a key benefit since it is not practical to rip and replace these tools in the real world.
The functionality provided covers single sign-on, adaptive multi-factor authentication and automated, role-based identity lifecycle management. Customers can use the IDCS Gateway to secure access to on-premises workloads like PeopleSoft, Hyperion, SAP or custom applications that use HTTP Headers or cookies, as well as cloud-based workloads running on compute services that can support containers. Customers with a hybrid IT service delivery model can use the pre-built integrations with Oracle Access Manager (using open standards such as SAML and Open ID Connect), Oracle Identity Manager (OIM) and Oracle Internet Directory.
While IDCS is an appealing offer for existing customers of Oracle’s business products it may be less so to others. It is tightly integrated with other Oracle security tools and supports open standards such as SCIM, SAML and OAuth however, integration with other vendor’s on premises identity management tools may require more effort. In common with other IDaaS products, it does not provide identity governance to cloud and on premises apps – this would require integration with Oracle Identity Governance, which is available from Oracle out of the box.
4 Related Research
Leadership Compass: Identity Governance & Administration - 71135
Leadership Compass: Adaptive Authentication - 79011
Leadership Compass: Access Governance & Intelligence - 71145
Leadership Compass: Cloud Access Security Brokers - 72534
Leadership Compass: Privilege Management - 72330
Leadership Compass: Identity as a Service: Single Sign-On to the Cloud (IDaaS SSO) - 71141
Leadership Compass: Identity as a Service: Cloud-based Provisioning, Access Governance and Federation (IDaaS B2E) - 70319
Architecture Blueprint: Access Governance and Privilege Management - 79045
Advisory Note: KRIs and KPI for Access Governance - 72559