Oracle builds in single sign-on

The Oracle Identity Management software, available now, is designed to ensure that corporate employees or business partners can enter a name and password one time to sign on to several applications. The software, which will be incorporated into Oracle's existing products, is targeted mainly at Oracle customers with several hundreds or thousands of user account names to manage, company executives said.

Oracle's entry into security reflects similar moves by its competitors, which provide server software and tools for building and running Web applications. Earlier this week, BEA Systems announced plans to offer application security, while IBM and Sun Microsystems offer identity management tools with their Java-based application servers. Oracle executives said they are entering the security field in response to customers, who are demanding a single point for administering network access rights.

Businesses can save money with a centralized access control system by using features that eliminate calls to company help desks, said Mary Ann Davidson, chief security officer at Oracle. Citing research from Meta Group, Oracle said a 10,000-employee company could save $648,000 per year by automating the task of resetting employee passwords.

The foundation of Oracle's security product is a directory for storing user names and passwords. The Identity Management application provides services, including single sign-on to different servers. It can automatically provision a person's name and password on several systems and can also issue digital certificates that are based on the public key infrastructure system for authentication.

The first version of Identity Management is focused on securing Oracle software and Web applications, but the company has built the software so that it can interoperate with other security schemes, said John Heimann, director of security product management in the server platform technology group at Oracle. The company has used a directory compliant with the Lightweight Directory Access Protocol standard, which can link to other network directories, and the company is recruiting partners to integrate their products with Oracle's Identity Management, he said.

Oracle executives say a centralized authentication service is an important part of the company's plans to introduce grid capabilities into its database and application server. Release dates for Oracle 10g and Oracle Application Server 10g are set to be announced at the end of the year.

With grid computing, several low-cost server computers are lashed together to perform the work of a single, more expensive server. Companies won't get the advantages of cheap hardware in a grid configuration without a simplified identity management system that can automatically control network access to many machines, Davidson said.

The move by Oracle to incorporate security into application servers and databases could potentially encroach on business from specialized security software providers. Heimann said standalone security companies over time will likely be acquired or will partner with other companies, as large software infrastructure providers such as Oracle move into security.

"This is a maturing area," Heimann said. "Increasingly, customers will realize the important aspects of security, and how it has to be based on mature technology that can scale and be available."

In the short term, however, security specialists are still able to differentiate themselves from software infrastructure companies such as Oracle, Gartner analyst John Pescatore said. Security specialists such as Oblix and Netegrity, which focus on identity management, have more mature products that are designed to work across different operating systems and packaged applications, he said.