Testing service rolls out vast federated identity management system using Oracle

The Educational Testing Service says it has gained efficiencies by centralizing its identity and access management

The Educational Testing Service, a non-profit organization that provides academic assessment tests, says it has gained efficiencies by centralizing its identity and access management (IAM) for on-premises, cloud and hosted applications. But it had to cope with a few bumps in the road along the way, especially in extending IAM into the cloud.

ETS deployed Oracle Identity Management for its thousands of employees in order to be able to provision and de-provision applications quickly for single sign-on convenience that's a boon to both end users and the IT department staff. One advantage was "we went from days to minutes" when it came to granting access to applications, says Jim Moran, chief information security officer (CISO).

Though it took a number of years to roll out, the easier part of this vast single sign-on IAM deployment serving the employees. The harder part was extending it to the business and service providers that ETS relies upon, in particular cloud services such as Microsoft Office 365.

ETS has engaged Computer Sciences Corp. to host Oracle Identity Manager and other components for the basic infrastructure, according to Moran. ETS administers identity management for employees based on simple defined roles, such as what applications someone working in an ETC call center might need.

To expand the Oracle IAM support out to business partners, it's necessary to share some Oracle IAM components.

"Oracle provides 'Fedlets,' Java code you can give to your service providers," says Moran. Based on the SAML 2.0 standard, this software allows business partners to join in a federated fashion with ETS to share the appropriate applications and users without having to deploy a full-fledged identity management system. This has worked out well to do things such as link ETS with third-party web portals of partners that do things such as grading tests. But the 'Fedlet' arrangement does require work to set up, including maintaining a public-key infrastructure exchange for security, Moran saya. It means interaction between the companies to establish a significant level of trust.

The biggest bump in the road has been extending the ETS Oracle Identity Management deployment out into cloud-based services. In adopting Microsoft Office 365, for example, ETS found that Microsoft wouldn't allow Oracle agent software to be added to a Microsoft Office 365 server. The approach that ETS found would work to unite Oracle Identity Management with Microsoft Office 365 was to set up a separate server as an intermediate point.

"We now use a web-based server as a shim between Oracle and Microsoft," says Moran.  There are various issues related to how well Oracle and Microsoft share IAM-related information for federation, but Moran says there are signs things are improving and moving in the right direction.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftNetworkingsecurityAccess control and authenticationEducational Testing ServiceOracleaccess controlIdentity & Accessmanagement

More about Educational Testing ServiceIDGOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place