Oracle Expands Footprint in Authentication

On the heels of the Bharosa acquisition, Oracle releases Adaptive Access Manager 10g.

Oracles acquisition of Bharosa in July caused a stir in the market for authentication tools. On Oct. 22, the acquisition bore its first commercially available fruit in the form of Oracle Adaptive Access Manager 10g, a move company officials hope will expand Oracles footprint in the identity management and authentication space.

Oracle is integrating Adaptive Access Manager 10g with its other identity management tools and included a number of features such as turnkey knowledge-based authentication, which allows enterprises to stay with simple user name and password schemes for low-risk activity. It also upped the ante with question-and-answer authentication credentials if the level of risk increases.

"The new release focuses on a few key areas: new knowledge-based authentication capabilities; enhanced system dashboards; and tight integration with Oracle Identity Management," said Amit Jasuja, vice president of development, security and identity management at Redwood Shores, Calif.-based Oracle. "As customers look at strengthening their authentication frameworks, they struggle with three things—what is the right user experience that balances risk with usability, how to integrate the new risk-based authentication technologies with their business applications, and how is the system working."

When Oracle announced it was buying Bharosa, which specialized in risk-based authentication and anti-fraud technologies, analysts described the play as a major investment in a growing space.

However, Forrester Research analyst Jonathan Penn said Oracle is not really ahead of some of its competitors.

"Other vendors have such capabilities of Web SSO [single-sign on] and adaptive authentication, notably RSA and Entrust," Penn said. "Theyve explored this path in the past without much success. The reason is that there hasnt been any big demand for this outside of banking, and we havent seen our clients articulate this either—not yet, anyway."

In the long term, Penn sees the idea of authorization becoming more fluid. For example, users privileges as defined in their accounts should represent a best case, and not be the only factor in determining whether people can perform certain activities and transactions, he said.


Click here to read more about whats new in new authentication technologies for online transactions.

"We see this most pronounced today in online banking, but we also see this in VPNs and remote access, and in database security tools," he said. "Long term, authorization will become more dynamic, and will incorporate some of this adaptive authentication."

Penn said Bharosas history is primarily in user profiling.

"Thats the commoditized element of all this," he said. "Rather, we see the risk engine as the key element here: There is a lot more to making such dynamic authorization decisions than whether [users are] who they purport to be. There are issues of trust and reputation, as anti-spam services offer, past actions and patterns of activity, whether known good or known bad or just simply deviating from the users norm."

However, other analysts said that the presence of real-time fraud detection in Oracles product helps strengthen security.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.