The proposed standards, dubbed the Identity Governance Framework, would let companies apply privacy and security controls to information as it moves from one business application to another. This should help safeguard personal data such as credit card details and Social Security numbers, Oracle said on the release of IGF on Wednesday.
"A lot of data security breaches are happening because identity information is in far too many places within an enterprise," said Amit Jasuja, vice president of development, security and identity management at Oracle. "Most often people don't even know that there is identity information that they need tighter controls over."
The IGF would let companies with sensitive data, such as banks, control how identity attributes are used by applications. Identity attributes are items such as names, addresses and bank account numbers associated with a customer or partner, and the applications that use them might include customer service, payroll and manufacturing programs. The specifications should help compliance with regulatory requirements such as the European Data Protection Initiative, Sarbanes-Oxley, and Gramm-Leach-Bliley, Oracle said.
The business software maker developed the IGF on its own, but has garnered the support of CA, Layer 7 Technologies, Novell, Ping Identity, Securent and Sun Microsystems. These companies plan to help develop full specifications, Oracle said.
But the proposals don't actually solve the problem of data breaches, Forrester Research analyst Jonathan Penn said. They give better visibility into the use of sensitive personal information, but that's all.
"It looks like too much effort for not enough reward," he said. "What is being proposed is an application-to-application architecture. That wouldn't have any effect on, say, misuse of the customer relationship management system to gain access to customers' personal data."
Even if the effort does come up with a standard way to increase visibility into the use of data by applications, it could be hobbled by the absence of several big players, Penn said. Noticeably missing are SAP, IBM and Microsoft. "That is a problem," Penn said.
Microsoft may not support it because the Oracle proposal seems biased towards theand the SAML standard for exchanging authentication and authorization data, which Microsoft has never officially backed, Penn said. IBM has its own Tivoli Privacy Manager, a tool that does much of what Oracle is proposing, he added.
Filling a gap
Oracle may not solve the data breach problem, but the proposals do fill a standards gap and seek to provide a solution for a real issue, Burton Group analyst Bob Blakley said.
"There are a lot of identity technologies out there that allow you to exchange identity information, and those technologies will not realize their full potential until the systems that use them know what identity attributes to exchange," he said.
The IGF complements work on identity-related standards done in the OASIS (Organization for the Advancement of Structured Information Standards), and , Oracle said.,
Those initiatives focus on making sure user information is collected with the appropriate consent and is efficiently transferred to a company's system, Jasuja said. Oracle's proposal builds another level on top of these efforts, he noted.
"They are really about the first mile. But then, once this data is in the enterprise, who makes sure that as it flows from one application to another, or is shared from one company to a partner, that the same privacy rules are followed?" he asked.
Oracle has produced two draft specifications. It has also come up with a developer tool, called an application programming interface, or API, to work with these specifications. The company plans to submit its work to a yet-to-be-determined standards body within the next 90 days and to make it freely accessible.
The two draft IGF specifications are Client Attribute Requirement Markup Language (CARML) and Attribute Authority Policy Markup Language (AAPML). CARML is an XML-based set of definitions provided by an application's developer that includes the usage requirements of the application; AAPML is a set of policy rules regarding the use of identity-related information. More details are available on Oracle's IGF Web site.
The Redwood City, Calif.-based company said it also intends to include the work in its upcoming Fusion business applications, due in 2008.