OCI Security & Access Control, Part II
People, Ideas & Objects and Oracle Corporation
Starting with the Security & Access Control module we find that Oracle Corporation has a comprehensive suite of applications that provide the security and access control that we are looking for falling under the Oracle Identity Management brand name. These products include tools for Access Management, Identity Administration, Directory Services and Governance. These product classifications come in a variety of different products and are configured in some specialty industry and management suites.
Two areas in the Preliminary Specification that will be challenging to develop are the Industrial Command & Control (ICC) and the inter-relatedness of the Joint Operating Committee and service industry representatives. Early on in the specification we noted a number of research areas that needed to be conducted. These are two areas that will take research dollars to resolve. To have the ICC recognize members of different organizations will not be a challenge. To engage them and have them interact in the manner we expect them to when we expect them to, will.
Oracle Identity Management resides within the Oracle Fusion Middleware product layer. As we indicated earlier in the Preliminary Specification this is Oracle’s Java Enterprise Server. Therefore these applications are open to tailoring to our users' needs through the process of “additions” as Oracle calls them. When we sit down with Oracle and define the Security & Access Control module based on our user needs. These needs can be accommodated by the technologies we have selected.
And it is through our user community that we will resolve these issues. It is one of the reasons People, Ideas & Objects software developments budgets are where they are. We will have challenges to resolve in delivering these innovative systems to the industry. I would remind producers that our value proposition sees the one-time costs of these developments amortized over our producer base. Yet each producer receives the full scope of that development effort in terms of the software application.
We now look at the Oracle product classification for Access Management. Included in the Access Management classification are the following products: Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Federation and Oracle Enterprise Single Sign-On Suite. Each of these products will be included in the Preliminary Specification as they have components required for day to day use by our users, service providers, producers and Joint Operating Committees.
One area Oracle had been working on was working with partners, vendors and suppliers. Within Oracle Access Manager it is noted that they provide... “Building federated user communities that span company boundaries.” These are the beginnings of both pooling and Industrial Command & Control (ICC) that are critical to resolving many of the issues that the oil & gas industry faces.
On the heels of Oracle Access Manager is their Adaptive Access Manager which takes the concept of intra-partner interactions further with “Oracle Adaptive Access Manager makes exposing sensitive data, transactions and business processes to consumers, remote employees or partners via your intranet and extranet safer.” This is the nature of business in the future. Working with partners, as is done by the Joint Operating Committee, is an effective means of reducing costs and increasing innovation in any industry. It’s only reasonable that technologies emulate these needs. In addition Oracle Adaptive Access Manager takes security and authentication to another level. As a result, our demands regarding the pooling concept and the ICC, I feel, will be less of a technical risk for the People, Ideas & Objects Preliminary Specification and subsequent developments.
The next application is the Oracle Entitlement Server which provides a dynamic access control element to the applications that use the server. Instead of manually wiring access control privileges into each application and user, they can be dynamically generated using the Oracle Entitlement Server. “The solution can manage complex entitlement policies with a standalone server or with a distributed approach that embeds information at the application level.” When it needs to be determined if user X has access to Joint Operating Committee Y, a decision from the entitlement server, based on criteria within the application, can be made. If this information is changed, our user would be denied access. This provides enhanced security based on policies and reduces the amount of detailed specific software development that is difficult, time consuming, and costly to maintain.
Federated Identities are a major part of how the pooling concept and ICC are implemented in the Preliminary Specification. We have specified in many modules, such as the Resource Marketplace module, Federated Identities. Situations such as where the vendor maintains contact and other information. That information is comprehensive and includes key organizational contacts, calendars and scheduling information. Working with the partners in the Joint Operating Committee and the representatives of the service industry in this way will effectively mitigate many technical software development issues we have. These data elements are maintained by each producer / service industry company and available globally throughout the People, Ideas & Objects applications.
One area that we will continue to face a challenge is in the Work Order. Putting together a working group to study earth science or engineering research is critical to innovative oil & gas producers and the industry in general. These are ad-hoc organizations formed with partners that may have no past history to draw from. Federated Identities will provide users with some of the information they need to establish the partnership and grant application access. However, there is still the pooling of and sourcing of costs, and budgets. Costs and their contributions are traditionally what invoke the bureaucratic nightmare that mitigates and destroys the motivation for these working groups to form. We need to ensure these roadblocks do not get in the way. We have proposed to overcome these issues by developing an intuitive interface for our users involved in organizing the working group.
We don't want our users to experience a mindless security access maze. Oracle Enterprise Single Sign-On Suite Plus promises to keep this from happening. Logging onto and off of systems as our user proceeds through the various modules and components of the applications is a must have. This product promises this level of service seamlessly and remotely. Which is needed. And considered a must have feature in today’s software offerings.
Oracle Identity Manager which will be used as the base product for role and identity management. This will be the base of the Industrial Command & Control for People, Ideas & Objects Preliminary Specification. It is part of the Oracle Fusion Middleware product offering and part of their Java Enterprise Server. Therefore we can build off the functionality existing and enhance it with our user community's needs. Building off of the functionality will be somewhat limited as many of the concepts inherent in the ICC are already captured in Oracle Identity Manager.
Oracle Identity Manager is a highly flexible and scalable enterprise identity administration system that enhances operational and business efficiency. It provides centralized administration & complete automation of identity and user provisioning events across the enterprise and extranet applications. It manages the entire identity and role lifecycle to meet changing business and regulatory requirements and provides essential reporting and compliance functionalities. By applying business rules, roles, and audit policies, it ensures consistent enforcement of identity-based controls and reduces ongoing operational and compliance costs.
Oracle Internet Directory and Oracle Virtual Directory product offerings follow. A bit off topic but Oracle Internet Directory is a relational database-derived directory server. That Oracle is providing the marketplace with a directory server based on relational database technology speaks to the power of their relational database. They claim they have performance for two billion users. I see the advantages of using this product over their traditional directory server and have selected it for the Preliminary Specification. It will provide us with some flexibility when we ask some of the most comprehensive and demanding questions of these technologies.
Oracle Internet Directory could be deployed as an industry wide directory server. In this case, I am referring to a directory server for the oil & gas and service industries. There it can integrate with other Oracle products, such as Oracle Identity Manager, which would be deployed at the producer firm, Joint Operating Committee and service industry representative level. This being a relational database we have some interesting opportunities here.
Oracle Virtual Directory may be the first step toward optimizing relational databases. What we will have is a global database of names within the Oracle Internet Directory. These will relate to the information contained in Oracle Identity Manager and other applications. Oracle Virtual Directory will provide us with a seamless way to browse, and applications will see these datastores as one.
Within the Preliminary Specification we want to access the contact information of the people or firms that provide services or products to the producers or Joint Operating Committees. Individuals and service industry members are expected to maintain their own contact and basic information. These will be maintained in the Oracle Internet Directory for each and every producer or Joint Operating Committee to access the latest and up to date information. This will save an immense amount of time for producers and Joint Operating Committees, as well as individuals and service industry providers. When looking for someone the search capabilities will be significant as we have added the “Vendor / Supplier Contact Database” and the “Actionable Information Interface” to this base data in the Resource Marketplace module.
Now we want to look at Oracle Identity Analytics as part of the Security & Access Control module of the Preliminary Specification. This application provides governance over the access privileges granted to our users of the People, Ideas & Objects application modules. Many of the functions and processes provided in Oracle Identity Analytics are either necessary or of significant value included in the Preliminary Specification.
A key area of our strategy is to understand the "why" and "how" our users access our services. Providing documentation of what information was accessed by what users and if any of the access violates any of the established policies. Ensuring that data access by users is compliant with corporate and application policies. This is to ensure that users are not unnecessarily abused by overtly secure systems and overall efficient corporate governance is achieved. All of the data collected during data access, that is the “why and how” of our users' access. Is compiled in a “Data Warehouse” for further analytical analysis and querying. This will help to show trends and usage patterns that will form updated policies and procedures and security provisions.
Another useful function within the Oracle Identity Analytics application is the Segregation of Duties feature. In many areas of a corporation, certain process functions must be undertaken by specific and sometimes different individuals. This feature provides for that assurance. It is Sarbanes-Oxley compliant. This is particularly relevant when the Joint Operating Committee is small, as we mentioned the other day. And we have assigned many roles to a few people. By segregating the roles that need to be kept separate for compliance purposes, this application ensures that the appropriate governance is maintained.
There is a comprehensive and customizable dashboard interface for our Oracle Identity Analytics users to analyze the data and particularly the data warehouse. Filled with reports and data that an effective user can use to determine where and how the People, Ideas & Objects producer client might be susceptible to access control violations.
The last feature I want to highlight is what Oracle calls Role Lifecycle Management. This provides the Oracle Identity Analytics user with the ability to do “what if” analysis in terms of the implications for identities and roles within the People, Ideas & Objects application. It contains a role change approval process, role versioning and role rollback. These will be needed in determining and maintaining the Industrial Command & Control.
We now step down from the Oracle Fusion Middleware layer to the actual Oracle Database for some security features. The first product in this stack is Oracle Advanced Security. It provides authentication, encryption, and encryption of database and network activity. It is possible, and I highly recommend that all the data and information used in the People, Ideas & Objects application modules be encrypted in the database and on the network. This increases the load on the systems and requires additional effort in terms of key management. However, I think the nature of the data and information and the manner in which the applications are provided as Cloud Administration & Accounting for Oil & Gas, this level of security is necessary.
Oracle Audit Vault is another product I recommend for the Preliminary Specification. It provides central location and management of audit information for compliance purposes. The ability to manage data, information, privacy policies, and security for our users. Oracle Audit Vault is Sarbanes Oxley compliant.
This next Oracle product adds to the Preliminary Specification. Oracle Label Security will work in many different ways within the modules however here are just two examples. The application designates specific individuals with higher security clearances. It designates specific data fields with certain security clearance. Those with high enough security clearances and appropriate authorizations can read these database fields. Within the People, Ideas & Objects application we want to ensure that the reserves, accounting information and strategy discussions of each producer firm remain confidential to a select group of individuals within that firm. With Oracle Label Security that is possible. We want to ensure that the appropriate people within the chain of command in Industrial Command & Control have access to the appropriate materials to make the appropriate decisions. This will allow those individuals to have access to these materials without making them available to everyone in the chain of command.
Although not that pertinent to our users of the People, Ideas & Objects applications we have included Oracle Configuration Management, Oracle Database Firewall and Oracle Database Vault as part of the Preliminary Specification. These will help keep the applications and the Oracle Database running as they should. Oracle Configuration Management will determine if there is a change in the configuration, either through a patch, or if something has been done wrong it will correct itself back to the specified configuration. Ensuring that what is promised to our users of People, Ideas & Objects is provided. Oracle Database Firewall ensures no SQL statements inconsistent with our users' or applications are passed through to the database. Oracle Database Vault allows you to restrict certain IP addresses or users to running certain SQL commands. It also locks databases from having any operations conducted on them.
Backing up data and information is two of Oracle’s strengths. Oracle Secure Backup provides excellent tools for this. Because the database is encrypted, the backup is encrypted as well. What we will need to do in the Preliminary Specification is to determine in extensive detail what precisely will be the backup strategy used for the People, Ideas & Objects application.
Lastly there is Oracle Total Recall. A product that helps access historical data. Oracle Fusion Applications provides some interesting solutions for how they handle legacy applications. We will get into those as we proceed through the Preliminary Specification.
Conclusion
It is important to remember that here in the Security & Access Control module of the Preliminary Specification. That the role and identity-based Industrial Command & Control (ICC) as conceived here has not been implemented, developed or conceived anywhere else before. We are taking role and identity-based management to the next level with the ICC. This is done through the usage of the Joint Operating Committee, through pooling and taking advantage of specialization and the division of labor in the oil & gas industry.
Why are we bothering with the ICC and the Joint Operating Committee pooling of resources? The issue we are resolving is the finite number of earth science & engineering resources available to the industry. With the anticipated retirement levels in the next 20 years. With the time requirements to bring on increased levels of resources. And most importantly with the demands for more energy, and the demands for more earth science & engineering in each barrel of oil equivalent produced. We face long-term shortages of critical resources. The need to organize the industry, exploit specialization and division of labor, and Professor Paul Romer's theory of non-rival costs is necessary to increase the output from the same number of resources. Doing this without pooling the resources in the Joint Operating Committee will cause the producer firm to broaden the scale of their earth science & engineering capabilities beyond what would be a commercially viable concern. The Preliminary Specification notes that we have contributions from earth scientists and engineers from multiple producers working together to meet the objectives of the Joint Operating Committee. Therefore we need a means to organize themselves and that is the Industrial Command & Control of the Security & Access Control module.
How the ICC will be implemented will be determined by our user community. However, I can speculate that the Joint Operating Committee will have standard roles and identities used throughout the industry. Standardization provides many benefits and will be necessary in this instance to make technology work. One of the key benefits of standardization is enhanced innovation. The need to have the various areas "covered" in terms of compliance and other requirements will require a standard template used by everyone. Everyone will know that that position is responsible for that role and responsibility. When Joint Operating Committees are small and have only a few people assigned, multiple roles can be assigned to one individual.
There are security and access control issues associated with the service industry and particularly service providers accessing People, Ideas & Objects systems and data. Removing administrative and accounting resources from the producer firms and organizing them in their own service providers provides significant operational flexibility to the innovative and profitable oil & gas producer. The Security & Access Control module ties these disparate organizations into highly organized replacements for the current bureaucracy. Contributing substantially to People, Ideas & Objects' overall tangible portion of our value proposition.
With the natural division in the types of information held within a producer and Joint Operating Committee. Producers will know that the Preliminary Specification can deliver the right information to the right people at the right time. Leakage of proprietary information can be mitigated by isolating company data. This is due to its unique nature and Oracle Label Securities' ability to restrict access to database fields.
Oracle’s products provide a strong layer of mission critical capabilities in the Security & Access Control module. Oracle provides comprehensive coverage of security, access control, audit, back up and roll management to name just a few of the highlights provided. Although this comes with additional costs, I am certain that no one will argue with the quality and peace of mind that these products bring.
