24.10.2008 by Martin Kuppinger
Have you ever heard about Rohati? You should have. They are definitely amongst my list of really interesting vendors in the Identity and Access Management market and the overall security market. And they are on the way to provide a real alternative to todays complex, cost-intensive and still error-prone approach for managing access controls at file servers. They don’t end there but provide as well interesting features for controlling the access to web applications – but the part I like most is the one around CIFS/SMB (Common Internet File System/Server Message Blocks) and access control for file systems.
Rohati is a start-up which provides appliances to enforce access controls (or authorizations) at the network level. They are one of the currently few vendors in the new segment of “network based authorization management” or “network based entilement management”. All the traffic is analyzed by their appliances. This analysis supports every layer up to layer 7, e.g. the application layer. The CIFS support will be ready soon, currently being in beta.
Enforcing access controls at that level provides several advantages:
- At that level, one consistent layer of policy definition and enforcement can be defined.
- Changes in policies are easy to implement. It is, for example, pretty easy to secure some shares with financial statements in lock-up periods. That is by far easier to implement and enforce with the Rohati policy-based approach than at the ACL level of Windows servers, where it would require two explicit changes of the ACLs at fixed dates.
- There is one point of control, instead of different ACLs at different servers.
- Windows and Samba servers can be managed together.
The Rohati appliance acts in the context of the user, e.g. it requires authentication. But Rohati supports for example Kerberos, thus the authentication in Windows environments works seamless in the background, transparent to the user.
Today, the management of ACLs as well at the file system level as at the share level often is a nightmare – for both administrators and auditors. Managing ACLs consistently, according to defined business rules, across many servers is pretty complex and definitely error-prone. With the Rohati approach, there could be a layer in front instead of the system-level management of ACLs.
For sure, the information still has to be shielded for the ones who access servers locally. But all network access could be controlled centrally.
Usually, I’m no friend of solutions which operate as an additional layer in front of existing systems. But in that case, I think it is really worth to have a look at. Whilst Rohati in enforcing authorizations for web applications is more or less competitive to existing software-based Web Access management solutions, the CIFS support provides entirely new options for authorization. That approach might take a lot of burden from system administrators and help to avoid errors in authorization management.
I even could imagine that such a policy-based, centralized model for authorization management might significantly influence what Microsoft is doing at the operating system level for a next-generation windows server and file system. There are some lessons Microsoft could learn from Rohati and adopt at the OS and software level.
24.10.2008 by Martin Kuppinger
Some few weeks ago, Quest announced the acquisition of NetPro. The product portfolios of both companies overlap in many areas. A few days ago, Quest presented the “product rationalization roadmap” which now explains how Quest will deal with the areas of similar functionalities.
There are many products which will be discontinued – from as well NetPro as Quest. Quest has thoroughly analyzed the overlaps in the now combined portfolio and consequently decided for the more advanced solutions. In consequence, several of the current Quest products will be discontinued.
From a customer perspective, the (consequent) decision for streamlining the product portfolio could impose the need for a migration to a new product. Even while this mainly affects administrative tools which are used by a relatively small number of relatively experienced users, that is an effort. At least the change will not require acquiring additional licenses despite the fact that Quest and NetPro had pretty different licensing models.
What might be a real problem is that Quest will discontinue the products by the end of 2009. That is a very short time frame even while only administrative tools are affected. I could imagine that customers will ask for a prolongation of that time frame.
Quest, by the way, benefits from providing a broad range of separate products instead of a tightly integrated suite of tools. They don’t need to adopt the architecture and user interfaces of all the NetPro products which are continued but they could just decide which of the current NetPro and Quest offerings provides the more advanced and mature functionality. In the (few) cases where both current products have specific strengths not supported by the other product they will have do implement that over time.
But, overall, there will be few situations where customers will have to migrate and will miss important functionalities. From that perspective, the roadmap is convincing. The roadmap as well proves that the acquisition was mainly a market share deal. The real issues are the need for customers to migrate and the short period of support for discontinued products. Besides this, customers might do a more detailed analysis for licensing schemes. The migration is free, but there might be some effects in maintenance fees which should be evaluated.
24.10.2008 by Martin Kuppinger
Recently, I had several discussions around terms like Access Management, Authorization, and Entitlements. And I thought about what is in the center – is it the identity or is it access management? Some weeks ago I mentioned in my blog that Hassan Maad, COO of Evidian, has stated that, from his experience, customers understand access while they have difficulties with the term identity. And when I go back some two years, there has been an intensive discussion of the so called “Identity Gang” about the term “identity”.
In fact, the management of access is the core business requirement. That is about authorizing access, it is about being entitled to do something. Thus, access management, authorization management, and entitlement management are terms which are used in the same context, with slight differences between them.
But: It is not only about allowing access, or authorization, or entitling. The questions are: WHO is granted access? WHO is authorized to do something? WHO has which entitlements? There is always the “who”, the identity. With other words: These concepts are tightly coupled together. Authentication (proving the who) and Authorization (granting or denying access) can’t be separated. Which, by the way, becomes obvious when looking at the concept of federation.
And there are several other import aspects of the identity, including the approach of understanding core business objects as identities (and vice versa).
However, the concept of the identity is more theoretical and more complex than access, authorization, entitlements. Thus, it might be better to talk about “Identity and Access Management” instead of “Identity Management” – especially, because there are some technologies which are more related to identities and others more to access. At least until someone creates a better term which is understood by everyone and which replaces “Identity and Access Management”. GRC isn’t that term. But maybe someone has a good idea!?
16.10.2008 by Martin Kuppinger
I had a very interesting briefing with one of the vendors for Privileged Account Management today. Like in most briefings, we also touched the current economic turmoil. The discussion we had convinced the expectations I have for the GRC and IAM markets: They probably will not be that heavily affected by the economic crisis than other IT market segments. The reason is simple – companies have learned that risk management is mandatory and the pressure on implementing a high level of GRC controls is increasing. Companies have to invest whether they like or not.
But in the discussion we came to the point that there is another relationship: The companies that have invested in Risk Management and related technologies, down to Privileged Account Management, are not that much affected by the crisis than the ones who hesitated to invest money in GRC.
My opinion is that the reason for this for sure isn’t that for example Privileged Account Management or even the more advanced generic IT GRC solutions prevent companies (like financial institutions) from going bankrupt. But companies that invest in these technologies have understood the need for Risk Management. And they are likely to have a strong, reliable Risk Management as well for operational risks. They decided to invest in IT GRC, Risk Management, and other technologies because they were risk-aware. The ones who didn’t invest were probably more sort of risk-agnostic.
For sure there are examples of companies in trouble, even with a strong IT Risk Management – and there are companies without Risk Management which still aren’t affected that much by the economic crisis. But most companies have understood the message: They need Risk Management, for operational risks as well as IT risks. That is the reason why there will be significant investments in these market segments. Either companies have to act because they are blamed for their faults in Risk Management – or they don’t want to become blamed.
By the way, for the ones of you capable of reading germans – today I read an article about a survey that found an inability of brokers to think logically. No surprise in these days, isn’t it?
16.10.2008 by Martin Kuppinger
Yesterday one of the vendors (not Novell), who was a little late in an analyst briefing call, said that he had to talk before to a journalist. He mentioned that this journalist was somewhat surprised by the large number of announcements in the Identity Management and GRC industry in these days. Novell is one of the vendors who should feel guilty – they are very active in providing news these days.
One of the recent announcements is about Novell’s Compliance Management Platform. The better term probably would have been GRC Management Platform because Novell doesn’t end with Compliance but focuses as well on other, more Governance- and Risk Management-related aspects. But at least they have understood that customers require a platform, not point solutions to address the GRC requirements (which, by the way, never ever have been more relevant than in these days).
Novell starts with a bundle that consists of several existing products like Novell Identity Manager, Novell Access Manager, and Novell Sentinel, their SIEM and auditing solution. But it goes beyond this, providing as well additional tools which provide best practices from Novell’s implementation projects and thus will support in implementation.
I assume that Novell will work on the integration, the current solution being just a starting point. At least the announcement proves that Novell has understood some important things: GRC is extremly relevant – and it requires platform approaches, not singular solutions.
The second announcement made by novell is their acquisition of Managed Objects. That is particularly interesting to me because I have been watching Managed Objects for quite a while, as one of the really innvoative vendors in the Service Management market. Managed Objects provides analysis, dashboard, and management functionalities to Novell’s systems management solutions. In other words: Novell is moving forward from a technical approach to a better support for IT management.
That is, by the way, common to both announcements: Novell is moving forward from being a very technical vendor to one that understands and supports the requirements of the IT management – with IT/Business alignment being at the centre.
It will take some time for Novell to go that path. But the recent announcements are at least interesting signals for a fundamental, but still evolutionary change at Novell.
10.10.2008 by Martin Kuppinger
In our new Roadmap Report Identity Management and GRC 2009, available from Oct 13th 2008, we describe the structured evolution of Identity Management and GRC infrastructures across multiple maturity levels, from basic, administration-focused deployments towards business- and service-oriented implementations.
Within this guideline, I personally think that one of the blocks is particularly interesting. It is about “Identities” (covering the concepts behind and their storage) and moving forward to a business-controlled IAM. What we have in mind there is in fact the integration of Identity Management with the applications which deal with some of the core business objects – like employees, customers, or suppliers.
These objects play a central role within the business applications. And they are identities. Thus, it is obvious that identity management concepts and technologies can provide value in providing a consistent, integrated view on these business objects. From the perspective of business systems, we probably won’t use the term identity management. But we will use it.
In the light of such an approach, it becomes clear as well why vendors like SAP, Oracle, and Microsoft are heavily investing in identity management. In approaches where we business objects are managed and used in service-oriented applications, the consistency of these objects is a core requirement. The vendors which provide application infrastructures and business applications thus require identity management technologies. You can, for example, expect NetWeaver Identity Management thus to play a vital role in SAP’s Enterprise SOA approach, with a much tighter integration than you might expect today.
That integration is consistent with the overall tendency of IAM moving from an administrative technology to the business-level, with the application integration and business support mentioned as well as with GRC (and, in consequence, business roles and rules) as control infrastructure above today’s more or less technical provisioning solutions.