Oracle's and SAP's distinctly different approaches to selling identity and access management capabilities reflect long-standing philosophical differences between the two industry giants, experts say.
Identity and access management features are at the core of both Oracle's and SAP's application security strategies, according to Ian Finley, a research director with Boston-based AMR Research. But for the most part, that's where similarities between the longtime rivals end.
Oracle -- which has acquired a handful of identity and access management companies over the last few years, integrated them, and positioned their systems as part of its Fusion Middleware package -- wants customers to know that its identity and access management suite can be purchased as a standalone item that runs with multiple vendors' databases and applications, Finley said.
SAP, on the other hand, markets its identity and access management capabilities as part of its NetWeaver and ECC suites, he added, and customers rarely if ever buy NetWeaver specifically for security purposes.
"The customers who are shopping for a security system aren't going out and buying NetWeaver because it's actually a fairly big, bulky thing, designed to run the whole SAP suite, and you can't just buy the security stuff as a standalone piece," Finley said. "[SAP will] say that they have some companies that are using NetWeaver by itself, but they have something like 35,000 customers and probably fewer than 50 companies using NetWeaver as a standalone environment."
On the technology front, SAP is going for a robust but complex approach to security, according to experts. Getting things up and running can be very time-consuming, they say, but once everything is in place, a security breach, Internet-related or otherwise, is highly unlikely. Experts say that Oracle, for its part, takes a somewhat less complicated overall approach to security.
"[SAP's security configuration] is more complex to set up, but it's also more flexible in terms of what it allows you to restrict," said Richard Hunt, founding director of U.K.-based Turnkey Consulting Ltd., a company that specializes in SAP security. "Of course, this level of flexibility brings with it the common problem of clients creating hugely complex security solutions that are unmanageable and difficult to maintain."
Gauging the big threats to application security
Identity and access management is becoming increasingly important, Finley said, especially given the onslaught of headlines in recent years about high-profile data breaches at such organizations as the U.S. Department of Veterans Affairs and TJX Companies Inc.
"The basic idea [behind identity and access management] is that you want to control who actually has access to your systems and to your data," Finley said. "The other thing that [identity and access management technology] does is allow you to quickly add or remove people from the system. When you fire 80 brokers at 10:02 a.m. on Wall Street, you want all those people's access to be shut off instantly."
The ability to remove workers from systems quickly is significant, experts say, because internal threats remain one of the biggest hazards to application security.
"Internal security threats can either be deliberate or accidental, but either way they can cause serious damage and financial loss to the organization," Hunt said. "All too often we find that the configuration of roles to appropriately restrict employees' access and separate incompatible duties is overlooked -- such as entering bank account details and running the payroll."
Another major security concern focuses on "back doors" to applications, according to Corwin Slack, managing director of EnterSys Group LP, a Houston-based enterprise applications consultancy. These back doors are typically created by developers for troubleshooting purposes, but they occasionally end up slipping into production where they can be used to bypass controls. Back doors can also be created and exploited by hackers' malicious programs. For example, the infamous Nimda worm gained ingress through a back door left by Code Red.
Oracle may be more open in its approach to identity and access management, according to Finley, but that's not to say the company doesn't want customers to use its identity and access management suite as a stepping stone to other Oracle applications. One similarity between Oracle and SAP, he said, is that both firms are striving to build ecosystems that encourage end users and business partners to standardize on their respective application stacks.
"What's really happened for SAP and for Oracle is the process of pulling out this sort of very application-specific security and pulling it into a separate layer that they can call a security product and that they can apply consistently across multiple different applications," Finley explained. "[They did this because] it simplifies the management of security, and it creates the opportunity to use these things to create an ecosystem of software vendors who they'll deliver on their platforms."