Oracle Identity Analytics 11g
by Deborah Volk on October 19th, 2009

UPDATE (Feb 2010): The product described in this post is dead. Sun Role Manager has been renamed to Oracle Identity Analytics and the end result is NOT the same as the product announced at OpenWorld. Stay tuned for more details in another blog post.

Another session at Oracle OpenWorld I attended was for Oracle Identity Analytics (OIA), a new product Oracle built from existing parts for 11g. The product was first announced in early summer of 2009 but if you were reading Oracle tea leaves, you knew about it even before that.

Oracle Identity Analytics is a "classic" BI solution circa 2009 with features specific to identity and access universe sprinkled throughout. Oracle calls it a "unique, BI-centric approach" to identity and audit compliance. The ingredients of this cake are:

1) a slick BI front-end (thank you, Oracle BI suite)
2) a data warehouse (read: Oracle database optimized for reporting and analysis)
3) a way to extract and transform data from various sources for loading into OIA (thank you, Oracle Data Integrator)
4) a way to make sense of the data and discover hidden patterns (thank you, Oracle Data Mining)
5) tight(er) integration with neighbor products in the IAM suite, namely Oracle Identity Manager

Functionally OIA is a mashup of three slices: reporting, analytics and attestation. Segregation of duties is also part of OIA and it could be considered a fourth slice but let's pretend it's part of analytics. (If we wanted to be classification purists, we'd note that reporting is also an analytical feature, usually referred to as descriptive analytics. Attestation, on the other hand, doesn't fit as neatly into an analytics sandbox). A picture is worth (less than) a thousand words in the previous paragraph:
Reporting, analytics and attestation deliver on challenges surfaced in Governance and Risk areas of IT. Is OIA then a GRC product? Well, it's 2/3 of one! If you consider attestation a compensating control, then one could say it's a narrowly defined GRC solution. Furthermore, OIA took over role mining and some other features of Oracle Role Manager (ORM) that were left on the floor after identity administration aspects of ORM were surgically removed and donated to Oracle Identity Manager 11g.

From the reporting perspective, OIA's raison d'etre is easy to grasp. All Oracle IAM products have reporting features yet reporting on identity or access events in a silo fashion (each product does its own thing on top of its own data store) is not the best solution. It's a good solution in that it meets the needs of many customers, especially customers who start with a particular product such as Oracle Identity Manager and may not deploy other pieces of the Oracle IAM suite. While it is true that there are single-product customers out there, it is also true that there are plenty of customers who own and deploy more than one Oracle IAM product. Comparing the number of single- vs multi-product deployments, multi-product installs win, at least this has been our experience. For customers deploying multiple Oracle IAM products the question of consolidating reports and making sense of data across products is a very real one.

Oracle acknowledged this issue in 10g by providing for an optional consolidation of reporting across IAM stack via BI Publisher. The reporting slice of Oracle Identity Analytics is a direct evolution of this need. For an enterprise-wide take on reporting, you have to have both appropriate infrastructure (e.g. star schema, ETL tools, etc) and, more importantly, data collected from various operational stores. Having properly denormalized data from everywhere is necessary but not sufficient to be useful by itself. You need domain-specific interpretation of this data. In the IAM world, this is bubbled up via two intertwined aspects: compliance / audit and risk mitigation. In plain English: stop the auditors or regulators from fining us for having poor controls that may lead to attacks/breaches OR reduce the likelyhood of attacks/breaches so that auditors and regulators will have a chance to fine us for something else.

In the analytics context, correlation across identity and access events in various silos creates the coveted synergistic effect where 1+1 = 3. As Security and Information Event Management (SIEM) vendors will tell you, successful correlation is 80% perspiration of having to come up with rules / criteria for correlation and associated alarms (is it a malicious attacker or merely a clueless user who can't remember his password, forgot his door access code and borrowed a card key from a friend) and 20% of having the data in one place. Thus, having some pre-packaged correlation reports covering Oracle IAM suite products as data sources would be nice to have.

The mention of SIEM is not entirely accidental. Oracle Data Integrator is a general-purpose ETL tool and as such it can be used to grab data from any target be it an Oracle IAM product, an Oracle application or a 3rd party app. The target doesn't even have to be a database, the data could come from flat files offloaded from a mainframe, for example. This 'digest and correlate all data' approach is reminiscent of SIEM products and someone in the audience at OpenWorld asked if Oracle is moving into SIEM territory with OIA. The answer was no or, to be more precise, the answer was "not now". OIA won't deal with data sources that have tradtionally been part of the SIEM landscape, e.g. network devices. Nevertheless, the distinction seems to be purely technical to me since OIA is clearly capable of dealing with any kind of data.
Attestation is the second slice of OIA and it's probably the slice that's going to be the driver for deploying this product. With attestation targets covering the entire range of possibilities - user accounts, roles, entitlements, membership sets (both role and group) - and attestation workflow appearing to be quite flexible (multi-level AND event-based with advanced support for reminders, escalations and delegation), on paper OIA meets 80% of attestation requirements out of the box. This is a shot across the bow of vendors such as Aveksa and Sailpoint as well as many other identity audit / compliance solutions that have been sold to the line of business.

It's worth noting that attestation generates actionable events, i.e. if an employee left the company but his account and associated access is still alive and well, attestation could kick-off a de-provisioning workflow. With entirely contained in Oracle Identity Manager, both reporting and action steps of attestation process were in OIM. In 11g, reporting side of attestation will be in OIA but action will remain in OIM. Oracle promises to have 2-way integration so that when someone attests in OIA, OIA will call OIM to execute an appropriate action on the target of attestation.

Segregation of Duties (SoD) is another interesting piece of OIA. OIA will have its own SoD engine which could be used to centralize an entire SoD policy lifecycle in OIA, including policy definition, preventive SoD simulation (detect conflicts at design-time), detective SoD check (detect conflicts at run-time), and mitigation. SoD checks and violations are recorded as events in OIA data store so that they could be reported on or sliced and diced along with other data. Since Oracle owns a powerful SoD capability from its acquisition of Logical Apps, the distinction between OIA SoD (aka SoD for Enterprise IT) and Logical Apps SoD (aka SoD for Oracle e-Business Suite) was carefully painted. (Another reason for this distinction is OIM 10g integration with Logical Apps).
If I read between lines, the SoD engine in OIA may be used by other IAM products in the Oracle stack for, well, dealing with SoD issues. If OIA contains data from many apps in the IAM suite, then SoD could be truly a killer app since (perhaps for the first time) one can truly consider toxic policies or business rules based on events that span IAM products. I suppose there's nothing to prevent any app from querying OIA's SoD engine so that OIA may eventually morph into more of a decision engine rather than just an analytics app.

Release date of OIA 11g is calendar year 2010. It will be aligned 11g releases of OIM and OAM.

Posted in Oracle Identity Analytics, Oracle Role Manager    Tagged with oow09, 11g, attestation


M.M. - November 18th, 2009 at 3:16 AM
Interesting article! After some months working with OIM, I can say that existing reporting features are quite poor. Fortunately Oracle desided to move BI Publisher into OIM solutions, this was a good move and made reporting in OIM really easier and more powerful. So having this experience, I can say that Oracle Identity Analytics is a really good direction. I can't wait to touch it;-)
M.M. - March 4th, 2010 at 8:40 AM
I have heard recently (from a webcast from Oracle) that OIA will be based on Sun Role Manager? So, what is exactly a ture version?
Deborah Volk - March 4th, 2010 at 9:30 AM
OIA will be based on Sun Role Manager. The OIA described in this post is dead. Same name, different products.
M.M. - March 8th, 2010 at 5:58 AM
So You mean that OIA will finally have nothing to do with Oracle BI, Oracle Data Integrator, Oracle Data Mining etc. (as described in the post)?

Do you know maybe why Oracle has changed that?
Deborah Volk - March 8th, 2010 at 6:19 AM
Yes, I mean that. As to why, my guess is that it's easier to market and sell an established product that's been around for a while than to push a first release of a new product. Aside from the sizeable capital investment on a new product side, there's maintenance revenue and customers at stake. I could come up with other reasons but I think the business rationale is primary.
Leave a Comment

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)