Oracle Plays Catch-Up in Identity Access Market

By Lisa Vaas  |  Posted 2005-11-18

Oracle Plays Catch-Up in Identity Access Market

Oracle Corp., late to the game when it comes to identity access management, is making up for lost time with its Wednesday announcement of a double buy.

The database colossus announced it is purchasing two companies: Thor Technologies Inc., maker of cross-platform provisioning technologies, and OctetString Inc., maker of virtual directory software.

Oracle didnt mention dollar amounts for the purchase of either private company. But the small outfits are likely tidbits in the vast gullet of Oracle, which has spent some $19 billion during the course of its two-year shopping spree.

Click here to read about Oracles CFO troubles.

Jonathan Penn, an analyst for Forrester Research Inc., said the technology additions will now boost Oracle to the rank of major player in the IDM (identity management) market.

"The combined set of products obtained through the acquisition form a J2EE-based [Java 2 Platform, Enterprise Edition] portfolio that is highly flexible, [with a] flexible administrative model, flexible role model, flexible data model [and] flexible connector architecture," he said in an e-mail exchange.

Oracle is picking up enhanced provisioning with Thor. Oracle Xellerate Identity Provisioning—formerly Thor Xellerate—allows organizations to manage user-access rights and privileges throughout the provisioning life cycle and across diverse IT environments.

With the OctetString technology, Oracle is gaining virtual directory technology that allows for multi-directory consolidation, password integration across directories and directory proxy capabilities—all features that help to accelerate identity management and other application deployment.

It also gives Oracle hot-pluggable capabilities for Oracle applications so they can coax identity data out of existing enterprise databases and directories. The technology, OctetString Virtual Directory Engine, will be rebranded as Oracle Virtual Directory.

The products are available now through Oracle under their original names, and the rebranded products will be available by years end.

The purchases are another milestone in Oracles transitional strategy in the space, said Phil Schacter, vice president of Security and Identity Management for the Burton Group.

Up until eight months ago, when Oracle purchased Oblix, a maker of secure ID software, the company had focused its IDM efforts internally, Schacter said.

"In the past, [Oracles technologies] were primarily there to support Oracle applications," he said. "It was very platform-specific, mostly. They had directory technology and a couple of other bits and pieces internally, [such as] some single sign-on. But [it was] not a major heterogeneous play."

The Oblix buy was key to broadening Oracles focus. Click here to read more.

Oracle underwent a sea change in the months leading up to the Oblix acquisition, finally deciding that becoming an IDM player was core to its success as a portal and applications company, Schacter said.

It wasnt hard to find inspiration: Oracles cohort was making tracks toward offering IDM tools for enterprises, and Oracle was being left in the dust.

To wit: As far back as 2002, IBM purchased Access360. In November 2003, Sun Microsystems Inc. purchased Waveset Technologies.

In October 2004, Computer Associates International Inc. announced it would buy identity management vendor Netegrity Inc. Then BMC Software Inc. picked up IDM vendor Calendra for $33 million in January 2005, and then it turned around and bought OpenNetwork Technologies in March 2005—the same month Oracle announced the Oblix buy.

Next Page: Oracles challenge is integration.

Oracles Challenge Is Integration

With Wednesdays announced acquisitions, Oracle now has several Tier-1 IDM products, Penn said. The problem now, though, is that the company is late to the game.

Where its competition has integrated products in place, Oracle is still putting the pieces together.

"Most big competitors made their acquisitions 12 to 24 months ago, and these are mostly, if not completely, integrated already," Penn said. "The full integration of [Oracles] products probably wont happen until early 2007."

Hasan Rizvi, vice president for Identity Management at Oracle, told Ziff Davis Internet News in an interview following Oracles news briefing on the acquisitions that customers arent all that concerned about integration anyway—as long as theyve got the best point products out there.

"From our experience talking to customers, theyre more focused on having best-of-breed technology available to them, and not [as] concerned that they have two consoles to [run it on]," Rizvi said.

"So the first thing is to make sure [the stand-alone products] are bulletproof in terms of installation, life-cycle management," and other areas, such as availability and quality, he said.

With customers buying those best-of-breed products on their own and stitching it all together, they have no way of knowing whether it all works together well, he said.

"Theyre the ones testing it. Theyre the first ones to put it together, the first one to test it, the one to find problems," he said.

Thus, the first level of security is to give customers pre-tested, pre-certified solutions, to reduce the complexity of putting it together themselves, Rizvi said.

The second priority is ironing out the interface and console issue, which is "not [the primary] focus from the customer perspective," he said.

The Burton Groups Schacter wasnt so sure on that point, however.

"Customers are living with multiple interfaces now," he said. "Would they like to reduce the amount of interfaces? Yeah, they would. And going with a single vendor is getting consolidation a single support number. And a single place to go to find the audit records would be nice."

There is value for Oracle in these acquisitions beyond the IDM market opportunity, Penn said. "These products can help provide a bridge for co-existence or migration between Oracle Business Suite environments and enterprise applications that it has acquired," he said.

Still, Oracle is faced with the challenge of presenting a unique value proposition attractive enough to the CISOs, CIOs and security and application architects, he said.

"It will not be adequate for Oracle just to try to leverage its place in the enterprise application market," Penn said. "Nor will it be enough to go after Oracle customers, who are also customers of Sun, IBM or CA anyway. So theres a lot of work on messaging, marketing and visionary-type identity management ahead for Oracle."

Oracle claims that with the purchases of Thor and OctetString, on top of its earlier Oblix buy, the real differentiator is the breadth of Oracles suite.

As far as claiming to have the best feature set goes, Schacter said that to his knowledge, Oracle still lacks single sign-on, at least for the mainframe.

Wynn White, senior director of Oracle Identity Management & Security Marketing, said Oracle does have single sign-on, thanks to the Oblix purchase. "Oracles product Oracle COREid Access and Identity delivers Web apps [single sign-on] and, in fact, is an industry leader," he said.

But when it comes to enterprise single sign-on, Oracle is still working on it, he said. "This is more of a niche access control offering for legacy applications," he said. "Oracles stated direction is similar to many of our competitors in this space and that is why we partner with key providers of this technology to deliver this solution to our customers."

Feature list claims aside, IBM is still the one to beat with its Tivoli line, and CA is right up there with its eTrust line and its Netegrity purchase, Schacter said.

Bob Maddy, vice president of IBMs Tivoli strategy, said Oracle has it all wrong anyway. "Theyre not really solving the customers core problem," he said. "What they dont need is more silos of management. People who are doing identity and access, how do you tie all that information to the underlying infrastructure? They have no technology in this space. Its all manual with their tools."

Oracles White challenged Maddys assessment, pointing to the virtual directory technology from OctetString as the piece that will serve to pull disparate identity data together, whether that data comes from individual applications, various directories spread through the enterprise or databases.

"Our suite approach to identity management enables us to centralize the management of identity information that leverages common identity data and common identity management processes—i.e., workflow, etc. Thats the beauty of the suite," he said.

This is the end goal all enterprises are working for with IDM, White said. While Oracle wont have such a solution overnight, he said, its something the company is driving toward, as is obvious from the nature of the companys acquisitions.

Editors Note: This story was updated to include additional comments from Oracle.

Check out eWEEK.coms for the latest database news, reviews and analysis.

Rocket Fuel