23.02.2011 by Martin Kuppinger
I still too frequently observe that organizations are too quick when it comes to technology decisions. In many organizations, there is first a decision that a “provisioning”, “web application firewall”, “single sign-on”, or even “identity management” is needed. Then some people google for these terms, find some vendors and decide about the solution. That fits to requests like “We’d like to have identity management running by the end of the year - could you support us?”
On the other hand I frequently observe that many customers aren’t aware of important technologies like Access Governance or Virtual Directory Services, to name just two of them. But if you don’t know what’s out there – how could you be sure that the solution you’ve chosen really is the best one?
Successful projects require as well a good understanding of which types of technologies are out there and which are best suited to support in solving specific problems (technology doesn’t solve the problems, but it can support in doing that). That, on the other hand, requires not only to understand the real problems (challenges, issues, threats,…) which have to be solved but as well understanding how to do that. That will lead to specific requirements and a knowledge about the mandatory requirements and priorities. It will also help to understand which of different overlapping technologies (or which part of them) is the best one to start with. Once you have done all this, defined some book of rules, processes, and so on, you can start with choosing the product within a specific category.
And yes, correct: That takes a little longer than just choosing the product. But it will lead to decision based on facts and not on uncertainty.
17.02.2011 by Martin Kuppinger
These days I’ve met with some of the executives of SAP to talk about their roadmap. Overall, SAP is moving forward with its Identity and Access Management products. e.g. SAP NetWeaver Identity Management (NW IDM). And the integration of the recently acquired SECUDE products and technology will significantly enhance the SAP product portfolio. Some of the new features are improved role management capabilities, reporting via SAP BW (Business Warehouse), and new REST-based APIs for UI creation. No rocket science, but valuable add-ons for their customers. For sure SAP is as well enhancing the integration with their core products and with SAP BO GRC AC (SAP BusinessObjects GRC Access Control).
The most interesting step forward, from my perspective, is the strong focus on SAML 2.0 which shall become the strategic replacement of SAP Logon Tickets, which are some form of proprietary cookies. This allows cross-domain use, in contrast to domain-dependent SAP Logon tickets. And it will provide simpler integration in business processes which span not only the SAP environment but heterogeneous applications. Besides the increased flexibility, SAML can provide much more information about the user. However the step from SAP Logon Tickets to SAML 2.0 won’t be a hard or even quick migration. SAP will further support the SAP Logon Tickets – and SAML 2.0 is supported only in backend systems starting with the 7.0.0 release. However, SAML 2.0 offers significant features and SAP provides (besides the integrated IdP in SAP NW IdM 7.1 and higher) as well SP capabilities at the backend.
Another area of migration is about moving from CUA (Central User Administration) to SAP NW IdM. SAP strongly recommends to use SAP NW IdM instead of the limited CUA capabilities. Again, this is a smooth migration – CUA won’t, according to SAP, be shut down as long as ABAP-based systems (the older SAP systems) are around. However it isn’t recommended anymore to install CUA.
In essence, SAP is continuously enhancing the Identity and Access Management capabilities and strengthens not only the integration into the SAP environment but adds support for heterogeneous environments and standards. Thus, SAP NW IdM is, from a SAP perspective, an enabling technology for the integration within the SAP infrastructure and (especially with SAML 2.0) beyond.
15.02.2011 by Martin Kuppinger
Quest today announced that they will acquire e-DMZ Security, a PxM (Privileged Access, Account, Identity, User Management) vendor. That comes to no surprise given that PxM has been one of the last (relatively) white spots at the IAM map of Quest Software. Quest is further completing its portfolio, being a full-service provider for IAM now and offering one of the most complete portfolios in the market.
The e-DMZ portfolio consists of several module, providing different types of PxM capabilities:
- Managing passwords for privileged accounts in a central repository
- Application password management to get passwords out of scripts and applications
- Privileged session management to monitor and manage sessions of privileged users
- Privileged command management with the capability to limit the commands allowed within sessions
With these features, Quest closes some gaps. Together with products like Quest Authentication Services, Quest One ActiveEntry, or Quest ActiveRoles Server, plus the monitoring capabilities provided by different Quest tools, Quest can provide a comprehensive set of features to manage all types of accounts and their access.
However, that will require (like with virtually any PxM platform) some integration work to be done given that customers have to work with several products. One-stop-shopping doesn’t necessarily lead to a single-step-installation. With the increasing number of tools, Quest will have to look on how to provide the balance between integration and modularity to its customers. Integration in the sense of providing well integrated solutions which are up and running quickly – and modularity with focus of the Quest approach to provide focused products instead of monstrous suites.
Whilst not being the most prominent vendor in the PxM market, e-DMZ security provides good support as well for UNIX/Linux as for Windows environments, which fits well into the Quest portfolio.
10.02.2011 by Martin Kuppinger
Being involved in a lot of advisory projects at end user organizations for some years now, I’d like to share some of the fundamental changes I observe. There is always a gap between what analysts like us, KuppingerCole, predict and what is done in reality. Thus it is always great to observe that things we’ve predicted and proposed are becoming reality. So what has changed over the course of the last years – trends becoming reality:
- Access and Identity Management: Back in 2008, I’ve blogged about the relation of the terms “access” and “identity”, the latter being much more difficult to explain. Today, the clear focus is on access controls, they are in focus.
- More flexible architectures: Some time ago, the idea was to have one provisioning system which covers all. Today more flexible architectures like described in one of my research notes become reality. Access Governance on top of several provisioning system allowing to protect existing investments and to move forward in smaller steps are increasingly common – and the increased maturity of Access Governance tools is the foundation to do this. Provisioning is increasingly seen as a technology layer below such integration layers (not necessarily Access Governance). And so on…
- Access Governance on top, doing things more business centric: A consequence of this is that companies focus much more on the business user and their requests for access (yes, for access, not mainly for identities). This isn’t entirely new but the way IT interacts with business has changed over time.
- Integration with service request approaches (not service desk, like BMC believes): Another tendency is to integrate access and identity requests with other service requests, either in the IAM/Access Governance tools (like in Quest One ActiveEntry or through Avatier AIMS, to name just two) or in service catalogs. However the interface has to be fore business users, not the IT – e.g. not the service desk itself. Service desks are as well increasingly part of the integration, within the more distributed architectures mentioned above, but for the manual part of fulfillment in systems which aren’t connected through a provisioning system.
- Bodies of rules, policies,…: The, from my perspective, most important change is that more and more projects start with the definition of “bodies of rules”, policies, concepts – and not with the selection of a technology. That definitely makes sense: You don’t start building a house by buying stones, you start with blueprints.
Two more (amongst others) trends increasingly becoming reality are
- Externalization of security out of applications in a standardized way, based on XACML and other approaches (and yes, there are real world projects out there on this)
- Hybrid cloud IAM and Access Governance – how to deal with mixed environments
Overall there is a clear shift of how IAM is done. And this change will continue, with the upcoming integration of Access Governance and other IT GRC approaches into enterprise-wide GRC concepts.
To learn more about the trends as well as the best practices don’t miss EIC 2011, where thought leadership and best practices come together.
03.02.2011 by Martin Kuppinger
Recently another analyst company had a presentation titled “The future of Information Security is context- and identity-aware”. Yes – but not that new. I remember that we had the context-based approaches as a key trend at our second European Identity Conference, back in 2008 (thus the upcoming EIC 2011 is IMHO the best place to learn about the new trends and the best practices for today around IAM, Cloud Security, GRC, and related topics).
I personally think that there are some important aspects to consider when looking at the overall topic of Information Security:
- First of all: It is about the I in IT, not the T. It is Information Security, not Technology Security. That is information-centric.
- You need to have the organizational structure, the processes, the policies in place before you look at technology.
- You need standards around information security for your entire application environment to reduce the grass root seecurity approaches and islands.
- Context is an important thing. Context defines criteria to understand the risk of interactions and transactions.
- Given that, it is mainly about risk. Context helps you in better dealing with risks, but the core thing is risk.
- Regarding identity-aware I’m a little reluctant. That is correct in the sense that there is little value in just looking at information or systems but not the identity. Look at DLP: Not allowing to transfer information is wrong – it is about allowing only the right people to transfer the right information. In that sense, identity-aware is important. Have a look here (not that new…) where I have put DLP into context. But you should be careful – it is not necessarily about a 1:1 mapping person:identity. There are situations (think about identity federation) where it might be a role, a group of people.
- Versatility is as well important – the flexibility to authenticate people in a flexible way, which is a prerequisite to support all types of potential users, internal as external.
Information security is a key topic for every organization (and not only the IT department). Following the principles above should help you to better understand the value of technical approaches. Technology which doesn’t support the principles and is not “backed” by the organizational structure, processes, and so on will only have limited value to achieve your targets around information security.