Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, November 29, 2006

Security ID Governance on Oracle’s Standard Plate

Oracle said it is pushing a new security framework to help companies better protect sensitive employee, customer and partner information exchanged through applications.  Ping Identity, Securent, CA , Novell and Sun Microsystems are joining Identity Governance Framework (IGF), an effort Oracle is spearheading to fill a void in security standards.  IGF addresses what happens once data gets into corporate applications, making it a complementary spec to basic identity management standards, such as Liberty’s Identity and Web Services Federation (ID-WSF) and OASIS’s Security Assurance Markup Language (SAML) (define).  IGF is crucial for meeting compliance rules and elementary security requirements, according to Amit Jasuja, vice president of development for security and identity management at Oracle.

Oracle hopes to take IGF to a standards body such as W3C, OASIS or the Liberty Alliance, for further development at a time when Web security is a huge area of concern for corporations concerned about meeting federal regulations requiring stringent privacy policies.

To date, specifications from the Liberty Alliance, Higgins Project and Microsoft enable businesses to gather personal data from customers and bring it safely into the enterprise system for use among partners, suppliers and customers.  Nobody is tracking which application the personal data, which can include PINs, Social Security numbers or even credit card and bank account information, ends up in and whether that data is being used appropriately and by authorized personnel.  For example, a patient’s medical history should only exist as a contract between the patient and the primary care physician, not to a nurse practitioner or insurance broker.

IGF offers a standard way for corporations to define policies to securely share sensitive personal information between applications and identity sources.

Rolling IGF into a standards body should also make the specs more appealing to Oracle rivals that may be hesitant to join the effort because the software giant is its chief architect, Jasuja said.  For example, Jasuja said that some of the vendors Oracle invited to join IGF are taking a wait and see approach, including Microsoft (Quote), IBM (Quote) and BEA Systems (Quote), are reticent to come aboard because Oracle is fueling the framework.

Posted on 11/29