Oracle Spearheads Data Management Standards Effort

Oracle is aiming to help companies improve their ability to manage and protect sensitive customer information with a new initiative that encourages businesses to isolate such data outside of individual IT applications.

The company introduced the project, called the Identity Governance Framework, or IGF, on Nov. 29, and said it specifically seeks to aid companies in handling sensitive identity-related employee, customer and partner information as it flows across heterogeneous applications.

If businesses pull such information out of their IT systems and enterprise applications and store the data in more centralized repositories, they will be much less likely to suffer the breaches that have left many companies fighting to defend their reputations after high-profile incidents where sensitive records have been lost or mishandled, Oracle officials said.

At the heart of the IGF standards initiative is a list of technological guidelines meant to help companies establish “contracts” between their applications and repositories of sensitive information, including four software components already endorsed by Oracle’s partners in the effort, which include Sun Microsystems, Novell, Ping Identity and Securent. Other technology providers considering participation in the program include BEA Systems, IBM and SAP, Oracle officials said.

Oracle executives said that the company decided to launch the effort as it considered the challenges it faces in finding ways to help its own customers manage the flow of sensitive information across its various database and enterprise applications. The initiative was specifically touched off by the work Oracle is doing to help protect such data in its next-generation Fusion enterprise software.

The standards proposed by IGF are meant to complement other data governance policies being drafted by groups including the Higgins Project, Liberty Alliance and OASIS, and the database giant is hopeful that one of those industry groups will decide to sponsor its work, said Amit Jasuja, vice president of development for security and identity management at Oracle, in Redwood Shores, Calif.

“The reason we look at these types of standards as a sound approach in handling identifying information is we understand the need for our products to coexist in every company with software from lots of different players,” Jasuja said. “Today companies are struggling to find ways to better manage information across different directories and development environments to try and approach this problem more effectively; there’s been improvement over the last year, but we saw areas where we felt there was more work that could be done to help customers fight the underlying issue of identity theft.”

Companies should look closely at how they manage their databases to make the compliance auditing process less painful and more cost-effective, analysts say. Click here to read more.

The initial IGF standards proposed by the group include CARML (Client Attribute Requirement Markup Language), an XML-based programming technique that consists of a so-called contract defined by application developers to inform IT workers about the usage requirements of an application related to sensitive data. Another element, the AAPML (Attribute Authority Policy Markup Language), consists of a set of policy rules for managing the use of identity-related information from a repository that allow the database to specify parameters regarding the use of information by other applications.

The initiative has also proposed an API meant to make it easier for software developers to build programs in a manner that conforms with policies regarding the use of sensitive data, along with an Identity Service, which is supposed to help developers create standardized methods for sourcing identity-related data from multiple repositories.

Jasuja said that most of Oracle’s customers admit that they only know that 25 percent of their sensitive data is stored where it is adequately protected, while the remainder of the information is distributed throughout many different applications and repositories. If the information can be pulled out of those applications and placed within the boundaries of a more strict data governance framework such as that proposed via IGF, businesses’ ability to defend their most valuable customer information will be greatly enhanced, he said.

“Companies need to ensure that they have the appropriate controls in place over all identifying data; they need to ask themselves where the information is stored, how it is used, and whether it is in compliance with all the necessary regulations and privacy issues for their respective industries,” Jasuja said. “We’re talking about a fairly significant way of reformatting the manner in which people deal with this sort of data that gets into development, policy and management of enterprise applications.”

Oracle officials said that even longtime rival Microsoft is mulling the proposed standards over, and the database company hopes its competitor is willing to join the effort. Microsoft’s Active Directory software lies at the bottom of many businesses’ existing records-management strategies, which would make the company’s participation in IGF that much more important, said Jasuja.

Some of Oracle’s partners in the effort have already begun advocating for IGF to marry its work with specific standards groups.

“The direction which the IGF is heading is positive,” Don Bowen, director of Identity Integration for Sun Microsystems, said in a statement. “Sun supports its submission to a standards body and thinks the Liberty Alliance may be best, as it is a natural and essential evolution of the work already done within that organization.”

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine’s eWEEK Security Watch blog.