On 11/28 Oracle released new technology standards for safeguarding data throughout the applications data flow called the Identity Governance Framework (IGF). CNET news reported on it November 30. The article points out that such standards would help prevent data leaks and also contribute to regulatory compliance.
The IGF Overview is a 24-page document with a discussion of business need and business drivers for building privacy in, plus concepts necessary to build into applications and systems to meet regulatory compliance.
A discussion of the “Principle of “Least Knowledge”” provides some good examples of how less personally identifiable information (PII) is really needed than is typically collected. This aligns closely with the OECD privacy principle of Collection Limitation. Since most international data protection laws are built upon these principles, and sing these principles are widely used throughout the world, I’m not sure why Oracle chose to use a different term, “Least Knowledge,” than the already established label. Too bad vendors always seem to want to coin their own unique terms for existing concepts; yes, I guess that’s a marketing thing. And yes, copyright issues are involved, but if they provide proper attribution to the OECD it would also provide some authoritative validation for their standards to show they were in line with existing standards.
Page 10 starts the proposal. The introduction states:
“The Identity Governance Framework (IGF) is designed to allow: (1) application developers to build applications that access identity-related data from a wide range of sources, (2) administrators and deployers to define, enforce, and audit policies concerning the use of identity-related data. IGF has four components: (a) identity attribute service, a service that supports access to many different identity sources and enforces administrative policy (b) CARML: declarative syntax using which clients may specify their attribute requirements, (c) AAPML: declarative syntax which enables providers of identityrelated data to express policy on the usage of information, (d) multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes. Oracle proposes that the declarative syntax used for CARML, AAPML, and service protocol used between client applications and service providers be standardized.”
The document goes on to describe the architecture layers.
There are sample business cases provided that shows how certain applications programming and architecture have historically been constructed, and how they would be using the proposed changes.
There were several little typos throughout this document. A nitpick, I know, but it looks like Oracle would have proofread such a document well before posting.
This is actually a nice overview of what could be accomplished with standards to use whenever PII is involved with applications and systems. The questions and issues referenced are ones that all IT folks should consider when dealing with PII and building corresponding safeguards.
The IGF FAQ provides more of Oracle’s vision for the IGF.
The actual programming standards are provided in the following AAPML and CARML documents:
* CARML Specification
* CARML Schema
* Example CARML document
* Client API
* AAPML Specification
Such programming standards to build privacy into applications certainly are welcome. It would be good if such standards were truly more vendor neutral, but in today’s business world that is probably just wishful thinking.
Tags: application standards, awareness and training, data safeguard standards, Information Security, IT compliance, policies and procedures, privacy