Quest acquires Bitkoo – another step for Quest to play with the big boys

19.12.2011 by Martin Kuppinger

During the past few years, Quest has acquired several other IAM vendors: Völcker Informatik (Provisioning and Access Governance), Symlabs (Virtual Directory Services), Vintela (Linux/UNIX Authentication and Integration), and e-DMZ (Privileged User/Account Management) are just some examples of this shopping spree. The newest addition to the Quest portfolio is Bitkoo, a vendor in the  Dynamic Authorization Management space (

This acquisition comes as no surprise given that Dynamic Authorization Management is one of the most interesting amongst the emerging segments within the IAM market. Dynamic Authorization Management is about externalizing authorization decisions from single applications and performing them against centralized backend systems, based on centralized rules. Instead of hard-coding security into applications and instead of having to maintain authorization rules in a lot of different applications, Dynamic Authorization Management systems build the backend for such decisions.

Dynamic Authorization Management thus is a core piece of identity and security services and “Application Security Infrastructures”, i.e. the set of services applications rely on when externalizing identity and security. Such services include administration (for example using central directory services), authentication (best based on versatile, context-/risk-based authentication), authorization (Dynamic Authorization Management), and auditing/alerting. The latter is sort of the missing piece, and in that area there is a lack of standards. But that is a topic I’ll cover in another post.

So Quest has acquired Bitkoo. That is not surprising given that Bitkoo fits well into the Windows-centric strategy of Quest. It adds to the portfolio, making Quest one of the vendors with a comprehensive portfolio of IAM solutions. Quest is, from the breadth of its portfolio, playing in the same league as the well-known big vendors in that space like CA, IBM, and Oracle (which, by the way, all have something to offer around Dynamic Authorization Management). Quest has shown a clear strategy in acquiring other vendors over the past years. Now it’s up to Quest to tell this message to the world, proving that they are more than the corner store selling a mish-mosh of tools for administrators. Quest has another portfolio now – and that makes them a really interesting competitor in that market.

This acquisition will most likely also increase the attention on Axiomatics, the most prominent specialized vendor left in the market of Dynamic Authorization Management. Axiomatics is on one hand the independent alternative – and on the other hand the obvious acquisition target number one now that Bitkoo is part of Quest.

SAML, SCIM – and what about authorization?

16.11.2011 by Martin Kuppinger

Cloud Computing is just another delivery model for IT services. However, due to the specifics of cloud services like multi-tenancy and many others, requirements sometimes are even higher than for on-premise services. One of these requirements in well-architected IT environments and for well-architected applications is the ability to externalize security. That includes relying on external directories for administering and authenticating users, e.g. on Identity Providers. It might include the capability of “cloud provisioning”, e.g. receiving changes of users – even while I clearly favor federation as loosely coupled approach over provisioning. It should include the support for external logs, event monitoring, and so on – unfortunately that appears to be a topic where noone is really working on.

And it should include the capability of managing authorizations in cloud services based on centrally (on-premise or using a cloud service – but centrally and not per cloud service!) managed policies. There is limited value in federating users and than doing all the administration work per cloud service using the cloud service’s proprietary management GUIs or APIs. However, authorization is where the problem really starts.

There is a standard for distributed, dynamic authorization management out there: XACML, the eXtensible Access Control Markup Language. It allows to describe the rules. It allows to work with different repositories for identity information (PIPs, Policy Information Points) and other information required for authorizations, it provides interfaces to custom and standard applications, and so on. However, I haven’t seen XACML in the cloud until now. Unfortunately, I also haven’t seen any real alternative to XACML.

Some might claim that SAML might do that job. There is the SAML Authorization Decision Query as part of the SAML 2.0 standard. But that leads pretty quickly to SAML/XACML interoperability and things like the SAML 2.0 profile of XACML. In fact, if it is about having a consistent set of policies expressed in a common standard, XACML is what we need. We need to define and manage these policies consistently per organization, not per service. Services should request authorization decisions – at least in an ideal world. However, when looking at the cloud, there comes another aspect into play: Performance. Performance is a general issue when externalizing authorization decisions. For cloud services which have to ask many different authorization “engines”, it is an even bigger issue. And there is the issue of latency, which is a factor in cloud environments due to the geographical distances you might find there.

Thus, while XACML is fine for defining policies, the interesting question is: Should cloud services ask external authorization engines per authorization decision? Or is it the better way to update the relevant XACML policies at the cloud service and do authorization decisions there? However, then we will still need a way for efficiently accessing the PIPs for other attributes required to perform the authorization decision.

I don’t have the full answer. However I’m convinced that XACML is a key element for authorization in the cloud, given that it is the standard for externalizing authorization decisions. But it might need some enhancements to optimally work for cloud security as well. It definitely will need improved security architectures for cloud services themselves to externalize authorization decisions and to rely on centrally managed policies. And it definitely needs some thinking about the overall security architecture for cloud services. So I’m looking forward to comments on this post – maybe I’ve missed something and everything is there; maybe this initiates some enhancements to standards. I don’t know but I’m really curious.

Recertification in dynamic authorization systems

28.07.2011 by Martin Kuppinger

Access Governance tools are becoming standard in IAM infrastructures. However, they mainly focus on “static” access controls, e.g. the entitlements granted to a user based on roles and other paradigms. Recertification is supported by these tools, and the solutions are maturing quickly. Thus, that part of Access Governance is easy to solve.

However, the next wave is coming with the increasing success of tools which are commonly called Entitlement Servers or Policy Servers. I tend to call them Dynamic Authorization Systems because they authorize based on rule sets and attributes at runtime. While the rules are set, the attributes are changing. I’m a strong believer in these tools and in XACML als the underlying standard for communication between the different modules and in heterogeneous environments.

But: What about Access Governance for these environments? Some of the Access Governance tools support that to some degree, allowing to pre-evaluate some business rules which use defined roles or attributes. However, many rules – especially business rules like “users of the life insurance backoffice with the role xxx and the defined constraint for signing payments up to 50,000 € are allowed to sign that type of claim” are out of scope. There is some support for testing such rules for example provided by Axiomatics.

However, I don’t see a solution which provides integrated Access Governance for all types of entitlements. Given that Dynamic Authorization Systems gain momentum, its just a matter of time until auditors will ask for such solutions. These solutions should, like modern Access Governance tools, support the lifecycle management for the policies including approvals, auditing and analysis, and the recertification of such rules. That is more complex than what is done today. But, without any doubt, we will need this soon.

It will be interesting to observe who becomes the leader in that market. The vendors in the market of Dynamic Authorization Systems themselves? The Access Governance vendors? New startups?

By the way: The topic isn’t that new – look here.

Dynamic authorization management

18.03.2009 by Martin Kuppinger

Authorization management is becoming increasingly popular. But there are, in fact, two very different approaches:

  • Static authorization management, where changes are provisioned to the target systems.
  • Dynamic authorization management, where authorization decisions are externalized to authorization engines at runtime.

The latter require changes to the applications, but they lead to the externalization of authentication and authorization (and hopefully as well auditing) from applications. Everything can be easily managed from outside of the applications.

Whilst static authorization management is provided by provisioning systems (at the more technical level) and by several GRC vendors (from a business control perspective), vendors of solutions for dynamic authorization management are still relatively rare and, besides this, in most cases relatively small. Besides Oracle with their Entitlements Server and, to some degree, CA with their Embedded Entitlements Manager, vendors include companies like Bitkoo or Engiweb, to name some of the two which are particularly interesting. And, for sure, Microsoft’s approach for claims leads in that direction – but at least in the current approach, authorization decisions aren’t externalized yet.

From my perspective, externalizing these decisions from applications definitely makes sense. Policies can be managed centrally, changes are effective immediately, and application developers don’t have to think much about security. They just rely on external decisions. In fact, things are moved from coding not only to deployment, but to runtime.

There are three challenges:

  • The authorization engines have to be fast
  • They have to be integratable with other IAM/GRC tools for a consistent management
  • The applications have to be adopted to a specific solution

The first part is just an architecture and engineering task which has been solved by several vendors. The second requires, from my perspective, standards for the description and exchange of policies which are still widely missing. The third part could also be addressed by standards. That would give customers the choice between different authorization engines. As long as these standards are missing, customers should, with respect to the last bullet point, focus on implementations which require few changes in applications to minimize the risks of vendor lock-in. On the other hand, the advantages of such approaches are significant – and vendors like Bitkoo and Engiweb are succesful because of that fact.

From my perspective, companies should start looking at these approaches today and really start externalizing security out of the code.

By the way: We’ve given our European Identity Award in the category best innovation in 2008 to some of the vendors mentioned above. Attend European Identity Conference 2009 and learn, amongst many other things, who will be awarded as innovator this year.

The need for standards

Going beyond attestation: Authorization Management is key

03.02.2009 by Martin Kuppinger

There is no doubt that the attestation capabilities which can be found in many of today’s IAM-GRC platforms (e.g. GRC platforms with focus on Identity and especially Access Management aspects) are important and helpful. Attestation provides a capability to go through existing entitlements and, in some cases, changes and confirm or revoke them. But: Attestation is mainly sort of a detective approach. There are two other aspects which have to be addressed as well:

  • Preemptive controls which avoid that there is any access right granted which later on has to be revoked
  • Controls in the sense of really managing and not just auditing

That is where active Authorization Management comes into play. In my definition, Authorization Management defines the approaches to centrally manage authorizations in underlying systems. In best case it ends up with the management of specific entitlements (that would really be “Entitlement Management”), in most cases it is only the capability to map users (using roles and so on) to system-level roles or groups or profiles. Better than nothing… In fact, most GRC solutions are limited because the provisioning solutions used are limited as well. There are only few products which can granulary manage entitlements at least for a few target systems.

But at least using higher level policies (and thus rules) and business roles to manage authorizations, e.g. in most cases controlling provisioning systems, is a huge step forward – even more if the GRC system can use the reconciliation capabilities of provisioning solutions to detect issues on the fly and not some weeks or months later when next time going through the attestation process (that might be too late – the money might be at some strange caribeean island at that point of time).

Anyhow, the big gap of provisioning still remains. Provisioning (or GRC) are in control down to the assignment of users to groups/roles/profiles in the target systems. But what these group, roles or profiles are allowed to do is managed by someone else – the operator/administrator of these target systems. You should always keep that in mind, because it is the reason why we will need not only one level of attestation but a multi-layered attestation, starting with the sysadmin who confirms that groups, roles, or profiles still have correct access rights at that level.

There is another interesting aspect of Authorization Management: Dynamic Authorization Management. Most of today’s approaches are static, e.g. they use provisioning tools or own interfaces to statically change mappings of users to groups, profiles, or roles in target systems. But there are many business rules which can’t be enforced statically. Someone might be allowed to do things up to a defined limit. Some data – for example some financial reports – have access restrictions during a quiet period. And so on. That requires authorization engines which are used as part of an externalization strategy (externalizing authentication, authorization, auditing and so on from applications) which provide the results of a dynamic authorization decision, according to defined rules, on the fly.

Today, in most cases companies rely on a single-layer attestation – which isn’t sufficient. They have to move to multi-layered attestation, to static authorization management and to dynamic authorization management. And vendors will have to enhance their products significantly to support every aspect. There is still a long way to go for IAM-GRC vendors, not even talking about extending GRC platforms to SIEM, BSM, and other aspects.

File Server (Web) Services

29.04.2008 by Martin Kuppinger

One of the newer topics in Identity Management is the Enterprise Entitlement Management. This term describes approaches for a centralized management of the low-level entitlements (e.g. access controls) on system level from a central perspective.

That seems to be pretty complex. How shall you ever manage file server ACLs from a central tool in an efficient manner? Or other tools? Yes, it isn’t that easy to solve. But bring in services and you’re much closer to a solution – not only for entitlement management, by the way.

Think about abstracting file server resources as services (which is, by the way, not that different from shares in the Windows world). Users will understand services – a service provides the ability to store and retrieve their contracts or their personal files or their blueprints or their drafts of new marketing materials or… A service is simple to manage from a security standpoint: No access, read, write, do everything – or something like that are the relevant rights.

Services are easy to handle in accounting. Their might be restrictions like quotas applied on the service level. And managing entitlements on that level is not that complex – that can be mapped to concepts in the Enterprise Authorization Management pretty easy.

You might argue that the file system still has to be locked down. No problem – as long as you can access it only through services. There might be different overlapping services for the same resources. Administrative shares in Windows are one example for that. If that isn’t sufficient, you can still use ACLs – and the services might act as specific operating-system services which bypass that security level or (like today in Windows) combine their security settings with the operating-system level settings. The latter is pretty complicated and somewhat overengineered. From my perspective, a consequent service approach might be sufficient.

To add some web services for file system access might be helpful – but it isn’t mandatory. A service is not necessarily a web service. In fact, everything you need for such an approach is available. Some things might be improved. But with a service-focus for file server services, security is easier to manage and to audit.

Enterprise Information Management

22.10.2007 by Martin Kuppinger

In some of my last entries in this blog (here and here) I’ve mentioned the concept of Enterprise Information Management, something I will cover in depth in a report within the next few weeks. Enterprise Information Management will be sort of the long term evolution of today’s Identity Management and some of the tightly related topics, as well as the integration of IAM with some other technologies. I started thinking about this concept when I developed a simple chart which describes the future of IAM.

It starts with today’s IAM, which is sort of “Identity Management for Administrators”, e.g. solving mainly technical issues in synchronizing information, with support for single sign-on or with provisioning. I’ve titled the next level “Identity Management for Applications”, describing the service orientation and the integration into applications. It includes aspect like Application Security Infrastructures. Many vendors are working on a service layer or the integration of business applications with their IAM products.

Read the rest of this entry »

From risk-based to context-based authorization

20.10.2007 by Martin Kuppinger

Dave Kearns, who will contribute as a track moderator and speaker to our European Identity Conference 2008, has introduced the term context-based authorization (and influenced my thoughts on this topic – thanks to Dave) as an approach for basing authorization on the context in which a user acts, which goes beyond the risk-based authorization in two ways: It’s not binary, e.g. either in or out. And it’s based potentially on more information about the context. I’d like to add some thoughts from my side to this and explain as well the difference between today’s risk-based authorization and tomorrows context-based authorization.

Risk-based authorization is an approach which has developed mainly in the financial industry. The idea is to observe and analyze user interactions to detect potential attacks and other dangerous situations. If there is a risk, the authorization to access a specific system or specific data within in a system is denied. There are several vendors in this space, including Oracle with their Bharosa acquisition and Arcot Systems.

The idea of context based authorization goes well beyond this, even while there is no hard borderline between vendors of risk-based authorization and the context-based authorization idea. It’s more sort of an evolutionary process. I personally expect that todays vendors in the risk-based authorization space (which sometimes have a some ability for context-based authorization as well) will expand their products towards context-based authorization. I assume that we as well will see some new specialists in the space of context-based authorization. And for sure the key players in the IAM space will enter the market for context-based authorization either with the make or the buy approach, e.g. building it by themselves or acquiring someone. Read the rest of this entry »

© 2014 Martin Kuppinger, KuppingerCole