31.10.2007 by Martin Kuppinger
There are plenty of GRC solutions out there. Products for one specific regulations, industry-specific solutions, and more and more solutions which claim to address the entire GRC problem. The level ranges from paper-based methodologies to more or less complex Excel sheets and complex frameworks.
I’m mainly interested in the generic solutions which try to address the entire problem. Many solutions address some part of the problem, but you will need dozens of different products to solve your GRC requirements. That leads to a complex, expensive infrastructure. Thus, a strategy for a generic approach for GRC which can cover all regulations is inevitable. That’s about compliance automation or governance automation, a topic I have published on our website some time ago.
Read the rest of this entry »
Posted in GRC
26.10.2007 by Martin Kuppinger
Our upcoming Identity Management market report 2007/2008 shows some interesting results. Not to surprising, at least most of them, but nevertheless pretty interesting. One important information is where the money will be spent next year. For sure there is Identity Provisioning. And, as expected, Role Management is a very important area. Besides these both areas there is Single Sign-On as the third topic on which a lot of money will be spent within the next 12 months. More than 30% of the survey participants will implement SSO, will enhance their implementations significantly or will replace the technology which they use today. Another roundabout 30% will optimize their existing implementations. Less than 30% of the companies won’t spend money on SSO.
The question behind is for the reason why. There are some aspects. SSO helps the users. It eases their lifes with less user names and passwords. SSO makes the user the admin’s friend. Another aspect is compliance. SSO might help in achieving some of the targets of compliance, at least in (the strongly recommended) combination with strong authentication.
It is easier to audit who is allowed to access which applications, who actively uses accounts in which system and who has accessed which system when. Upcoming trends like the integration with events from phyiscal access systems, thus doing the step towards context-based authentication and authorization, enhance the support for compliance requirements.
From my perspective, these two aspects – user friendliness and compliance support – are the most important driving factors for the success of SSO. Besides, SSO is pretty mature, at least the Enterprise SSO solutions which are most common today. But also token-based approaches like the use of Smartcards with certificates and other credentials stored on the tokens shows an increasing maturity, lower costs and a broader availabilty of devices.
Thus, if you haven’t solved your SSO issues until know, start thinking about. But when you think about, don’t remain with an internal solution like Enterprise SSO but think about the future. SSO for your customers through support of OpenID, CardSpace and other technologies shall as well be part of your SSO strategy (look at some of our downloads…) as the role identity federation will play in the next years.
25.10.2007 by Martin Kuppinger
I still remember some tough discussions I had with eBay in 2004 when we had just started KCP around there missing investments in secure, strong authentication. Interestingly eBay and PayPal are amongst the first now to use VeriSign Identity Protection, abbreviated as VIP. And they start in the German market to roll out this technology.
Basically VIP is sort of a combination of strong authentication with a user-centric identity which can be used with different vendors and other companies in the market. The user requires a token which provides an OTP (one time password) which is used for authentication. Nothing new, so far. But: The VIP network is designed to support multiple partners and it uses only one token. Thus it addresses two of the biggest obstacles of OTPs as a means for strong authentication:
- The cost of deploying tokens is shared and thus lower.
- The user has one token instead of a collection of tokens from different providers.
I really like this approach because it’s a pragmatic one. And I will, for sure, test my VIP card today with my eBay account. Best of all, the token is in credit card form factor and thus very comfortable to take with me, in contrast to some other token I own.
Combine this approach with OpenID and CardSpace and you end up with a solution which isn’t perfect but far more secure and usable than most of the other approaches in the market. Interestingly I had discussing about that approach with VeriSign some 18 months ago the first time. Seems, that today the market is ripe for it.
22.10.2007 by Martin Kuppinger
In some of my last entries in this blog (here and here) I’ve mentioned the concept of Enterprise Information Management, something I will cover in depth in a report within the next few weeks. Enterprise Information Management will be sort of the long term evolution of today’s Identity Management and some of the tightly related topics, as well as the integration of IAM with some other technologies. I started thinking about this concept when I developed a simple chart which describes the future of IAM.
It starts with today’s IAM, which is sort of “Identity Management for Administrators”, e.g. solving mainly technical issues in synchronizing information, with support for single sign-on or with provisioning. I’ve titled the next level “Identity Management for Applications”, describing the service orientation and the integration into applications. It includes aspect like Application Security Infrastructures. Many vendors are working on a service layer or the integration of business applications with their IAM products.
Read the rest of this entry »
20.10.2007 by Martin Kuppinger
Dave Kearns, who will contribute as a track moderator and speaker to our European Identity Conference 2008, has introduced the term context-based authorization (and influenced my thoughts on this topic – thanks to Dave) as an approach for basing authorization on the context in which a user acts, which goes beyond the risk-based authorization in two ways: It’s not binary, e.g. either in or out. And it’s based potentially on more information about the context. I’d like to add some thoughts from my side to this and explain as well the difference between today’s risk-based authorization and tomorrows context-based authorization.
Risk-based authorization is an approach which has developed mainly in the financial industry. The idea is to observe and analyze user interactions to detect potential attacks and other dangerous situations. If there is a risk, the authorization to access a specific system or specific data within in a system is denied. There are several vendors in this space, including Oracle with their Bharosa acquisition and Arcot Systems.
The idea of context based authorization goes well beyond this, even while there is no hard borderline between vendors of risk-based authorization and the context-based authorization idea. It’s more sort of an evolutionary process. I personally expect that todays vendors in the risk-based authorization space (which sometimes have a some ability for context-based authorization as well) will expand their products towards context-based authorization. I assume that we as well will see some new specialists in the space of context-based authorization. And for sure the key players in the IAM space will enter the market for context-based authorization either with the make or the buy approach, e.g. building it by themselves or acquiring someone. Read the rest of this entry »
19.10.2007 by Martin Kuppinger
SAP tends to talk about its concept of business-driven Identity Management in these days and claims this to be a new approach. But honestly – neither the term nor the concept are really new (but valid). Business-driven Identity Management in SAP’s vision is role-based. Based on business roles, to clarify this, not on the technical system roles SAP supports today in its different business systems.
There is no doubt that business roles are becoming more and more important for IAM. SAP supports them today in its GRC Access Control product. SAP NetWeaver Identity Management in the current and near-term releases will use a separate role management approach. That might, from my opinion, change over time due to the fact that the integration between SAP GRC Access Control and SAP NetWeaver Identity Management is one of the major points on the SAP roadmap.
There are two things I’d like to add. First of all, what SAP delivers today in SAP NetWeaver Identity Management is a first step towards the right direction but definitely not the leading business role management approach in the IAM space. Second, business-driven IAM doesn’t end with business role management. In my vision for the evolution of IAM there is much more business control of information through the user, centered around “information objects” and the identities. I’ve talked about that in some of our webinars and will, probably by the end of November, write a report on this vision and the things I observe in the industry – and probably I will write a little about this in my blog even before publishing the report.
19.10.2007 by Martin Kuppinger
Sometimes the real important news are hidden pretty well. I’ve experienced this once again at SAP TechEd in Munich. Despite several analyst briefings before and during the event I decided to attend a presentation on the status and future of SAP NetWeaver Identity Management. At the very end of the presentation there came a slide about the relationship of CUA and SAP NetWeaver Identity Management which said that CUA will be replaced by SAP NetWeaver Identity Management on the long term.
That is really important news. CUA is the Central User Administration in the SAP environments, allowing to centrally manage users for several instances of SAP system with ABAP based local user management – which means in fact most of the core business systems in the SAP environment. For sure SAP will support a coexistence of CUA and SAP NetWeaver Identity Management. But the strategic solution is SAP NetWeaver Identity Management.
Due to the fact that an ABAP only focus isn’t sufficient for the user management in SAP environments, that is important (and positive) news for existing CUA users as well. And there are many options to use CUA together with SAP NetWeaver Identity Management in the future. But it is an aspect which influences as well decisions on CUA implementations as the overall Identity Management strategy – and the Identity Management market in general.
This new role of SAP NetWeaver Identity Management will in fact lead to a situation where the product will be used in a very high percentage of all SAP implementations at least for provisioning to the local user managements of the different SAP systems. For sure a customer could also decide to use another’s vendor product for what he is doing today with CUA and with another provisioning solution. And there will be many customers who will use SAP NetWeaver Identity Management as a CUA replacement together with another product.
But overall the CUA replacement is one of the strongest arguments SAP has for its NetWeaver Identity Management, besides the important role the product will play for the future evolvement of the NetWeaver platform. And the positioning as CUA replacement has to have impact on the IAM strategies of all SAP customers. They should analyze the pros and cons of all options, from “pure SAP” to “non SAP”. That’s not only about CUA and the provisioning, but will be influenced as well from the plans SAP has for IAM in the NetWeaver- and overall SAP-scope. I’ll talk about these plans more in the next weeks as well as in an upcoming report on SAP’s IAM strategy.
16.10.2007 by Martin Kuppinger
A side effect of application security infrastructures
When writing my upcoming report on the architecture of application security infrastructures I thought also about potential business values of this type of service layer which sits between applications and the security infrastructure (in fact the term “application security infrastructure” is somewhat misleading because its more about a service layer which sits on top of the infrastructure – and the service layer is core, not the infrastructure). When thinking about the business values it became clear to me that there is a clear link to what I have written in “The ERP for IT” about the chance to use service orientation for making IT sort of a business unit.
Application Security Infrastructures can support IT to become more business-oriented and more economic. How? Very easy: These infrastructures expose defined services (security services, mainly identity services) to applications and network infrastructure components (for example “identity storage services” as interface to directories). The usage of these services can be measured. The costs of the underlying infrastructure can be measured as well and is related to specific services. So, in effect, you have the cost per use per service.
With that information you can for example predict the costs of new applications much more precise than before. You can assign the costs of the infrastructure much more precise than before to the consumers of the services. You can offer more efficient services for lower costs. And so on… IT can act like a business unit or, more familiar, like an “internal outsourcer”.
That is, from my point of view, one of the biggest advantages amongst the pretty long list of business values an application security infrastructure can deliver. For sure that isn’t unique to application security infrastructures, but applies to any move towards service orientation.
12.10.2007 by Martin Kuppinger
Oracle today announced that they’d like to acquire BEA and have placed a bid for BEA. The BEA management on the other hand seems to not be willing to become a part of Oracle. To me, it’s somewhat surprising that Oracle looks on BEA. Oracle has its own middleware product and, from a technical perspective, I don’t see the urgent requirement to buy BEA. BEA, for sure, is one of the leading vendors in the market space but I don’t expect them to add that much value at least from a technical perspective to Oracle that it would be worth to pay the pretty high price.
So there is mainly one reason for this bid: Market share. If you combine the market shares of both companies the result will probably be the market leader, in front of SAP and IBM as closest competitors. With respect to the ongoing “battle” between Oracle and SAP its reasonable from an Oracle perspective to invest in marketshare especially in the core segment of competition, the middleware or application infrastructure market – however you name this market segment.
Beyond this, the Oracle bid for BEA points to another thing I have in mind for a long time: BEA is the only large vendor in this segment which is focused mainly on middleware. I doubted that this is sufficient. From my perspective, BEA and BMC would be an interesting fit – much more interesting than Oracle and BEA, because that’s really mainly about market share. Combining BEA and BMC would led to a strong vendor which competes against IBM and others, with a broad offering covering the infrastructure as well as the applications and thus delivering the basis for sort of an ERP for IT. But if I look back to the PeopleSoft acquisition, I doubt that anyone else will acquire then Oracle.
So we can expect Oracle to set the next milestone in the mentioned “battle” against SAP through expanding its market share in the middleware market – and sit back and wait for a response from SAP.
10.10.2007 by Martin Kuppinger
Oracle remains true to its strategic approach of growth trough acquisitions. The next company to become part of Oracle is LogicalApps. LogicalApps, pretty unknown at least here in Europe, is a vendor in the GRC space – more concrete of “automated GRC controls management solutions”. GRC is an acronym for Governance, Risk Management and Compliance. The solution supports SoD enforcement, monitoring of business transactions, and evidence (e.g. audit). The vendor is focused on Oracle Applications with – as they claim – hundreds of successful deployments in these environments.
With this acquisition, briefly after announcing the acquisition of Bridgestream, Oracle proves that they are willing to compete with SAP in the GRC field. In fact the combination of Bridgestream and LogicalApps will lead to a solution which can be compared to SAP’s GRC Access Control solution which has its roots in the former Virsa products. SAP’s advantage is that they are some two years ahead of integrating and enhancing what they had acquired. On the other hand Oracle has proven its ability to integrate products they have acquired. And Oracle has another interesting component in its portfolio with the risk-based authentication/authorization provided through Bharosa, another company they recently acquired.
Both vendors, by the way, face the same challenge: They have to expand the solution scope beyond their own ERP applications. SAP is intensively working on support for Oracle Applications, PeopleSoft and other solutions. Oracle will have to enhance the LogicalApps product to a pre-defined “best practice” support of SAP environments. And both of them will have to enhance the scope of GRC beyond the core ERP solutions to all information (systems) in the enterprise. eMail, for example, is pretty relevant to GRC.
The acquisition strengthens Oracle’s competitive positioning and is, from my point of view, a major milestone towards true competition in the GRC field, because Oracle will now be the challenger number one for SAP in this area. It will be interesting to observe whether other major vendors like IBM or even Microsoft will enter this market – and with which approach they’ll do that.