In these days the industry talks a lot about IT GRC, Risk Management, Access Governance, Identity for the Cloud, and so on. However, we should keep in mind that the vast majority of organizations still have to do a lot of homework around basic Identity and Access Management.  And, even more: That’s the foundation for many of the other things like Access Governance, because it’s not only about auditing but as well about managing (and, honestly, it’s much more about managing and enforcing preventive controls than of auditing in a reactive way, isn’t it?).

Thus, you shouldn’t ignore Identity Provisioning, Virtual Directory Services (still one of the most valuable technologies in IAM and one of the best hidden secrets at the same time), or Enterprise SSO. You will find a lot of Podcasts of Webinar recordings at our website. Thus, I won’t analyze everything around that but focus on some few points why we still should consider the core IAM market as relevant:

• Provisioning tools have matured over the past years – and they support many of the “new” features like access certification frequently. Thus you can do a lot of things relying only on these “basic” tools instead of adding too much on top of them. Not all, but a lot. That has to be carefully analyzed but in several cases, one tool definitely is the better solution than multiple tools. That’s like in real life: There are advantages for the multi-tool, there are advantages for the specialized tools.
• If you look at the market, than there are relatively few really big organizations. Most of them have some IAM. But, correctly, most of them have more than one IAM approach and implementation. Thus, they have integration issues which is an important market, with many architectural options to solve this. And, beyond that, in these large organizations you frequently can observe a tendendy to implement some point solutions in some areas – for example an additional provisioning tool for some specific systems. Given that, there is still a lot of work to do and a lot of potential, for example in providing the provisioning tool which integrates other provisioning tools.
• The medium-sized businesses frequently don’t have much provisioning and other IAM solutions in place. Thus, there is a huge market opportunity, as well for on-premise as cloud-based solutions.
• Some implementations might be worth a review with respect to today’s requirements and solutions. There is always room for updates and even replacements.

The reason why there is somewhat fewer attention of the marketing departments of vendors on that segment (at list when looking at some vendors which have not only provisioning) is simple: Provisioning is hard to sell. E-SSO is easier to sell. Access Governance might be even easier than that. Thus, looking at the low-hanging fruits instead of focusing on products with a long sales-cycle and a lot of competition, appears to be logical from a sales perspective. However, that leaves a large portion of the market blank and it doesn’t fill the pipeline sufficiently for a time where the low-hanging fruits might have been picked.

It’s not up to me to judge about vendor marketing and sales strategies. But it is interesting to observe what is happening in the market. And that might be one reason for the relative success of several of the smaller vendors in many markets (by the way: some large vendors are very active in the “classical” segments – innovative, focused,…).

From a customer perspective, the buzz and fuzz around the new topics might divert the focus from the things which have to be done as a foundation, on which other things can be built. Thus customers always should keep in mind that they can’t be successful without doing their homework. And that includes to provide a solid foundation for provisioning – with an adequate architecture for the customer’s requirements. I’ll blog about these architectures soon but you might as well look here - I’ve touched the topic in this webinar.

Don’t miss the European Identity Conference 2010 and its Best Practice presentations to learn more about this. See you in Munich, May 4th to 7th.

For some of you, the acquisition of Burton by Gartner might have been the deal of the year. I (for sure, acting in the same market) will not comment on this. But for me, it hasn’t been the deal of the year even in these first two weeks. Much more important is the acquisition of Archer by RSA. RSA Security, a EMC subsidiary for several years now, has bought one of the leading GRC vendors. In fact it was EMC which acquired Archer but within EMC it has been RSA Security.

Archer is one of the major players in the Enterprise GRC market – I recently discussed the various segments of the GRC market. With the acquisition of Archer, RSA – until now a provider of very specialized components in the SIEM, DLP, and other security related markets – tries to close the gap between the high-level view of Archer (being mainly an Enterprise GRC provider with some level of CCM). That definitely makes sense. And it fits well in EMC/RSAs strategy for Cloud Security. Thus, by integrating the tools of RSA (and other EMC companies), providing information for automated controls, and the high-level view of Archer, the drill-down features, and the manual control capabilities as well as the overall policy and control management, EMC (with RSA and Archer) might be well able to make a big step forward towards an integrated GRC offering.

However, this shouldn’t be limited to security-related IT controls but should cover all types of IT controls, including service management, access governance, and others. Standards like Cobit show how many different controls are relevant. And, from the high-level perspective (the Archer view), it should even go beyond IT controls and IT GRC. Thus the acquisition of Archer shouldn’t be understood as the final but the first step. Integration of what EMC and partners are offering is the logical next step – but to fully deliver on the idea of an integrated GRC, EMC might have to add some other technologies (like access governance and, especially with focus on the cloud, service management).

Anyhow: The acquisition makes sense, no doubt about that. And I’m convinced that it hasn’t been the last one in the GRC market for this year.

I had several interesting discussion with some vendors about the future of some market segments in the IAM market. And when I look at these markets (and many other IT markets, including the emerging cloud market) one thing becomes obvious: Established vendors tend to act as sort of lemmings. What do I mean by that? There is an idea that appears to be successful for one vendor. Then other vendors tend to follow without really analyzing whether this is really the best approach. They frequently claim that their customers are requesting that type of solutions. But: Their customers are frequently just looking at different solutions which are available at that point and pick features which are available. Once they have the tool in production, they might ask for additional features. But customers don’t tend to invite the products they might need for being successful for the next years.

This customer focus (most product management is focused on customers only, with some competitive analysis) is important – no doubt about. But there are some threats:

• It is hard to create an USP when being sort of a follower to the market. OK – larger vendors might rely on their sales strength but that doesn’t always work.
• Building products and product architectures for what is common might lead into dead rows. Changing that, either by acquisitions and their integration or re-architecting products, is expensive.

Overall I strongly recommend that vendors add the look beyond the current state and the obvious next steps. Some of the more innovative features might require significant changes to the product, thus development has to start early. Besides: Adding this view to your roadmap neither hinders you in developing mainly for the features which are requested today by customers nor is it really expensive – some few days of workshops with thought leaders and the creative guys within the vendors will probably lead to a big step forward towards this.

But until now, there are more lemmings than other species. Or, to stay within another comparison from a management book I’ve read years ago (“Dolphin strategies”, I can’t remember the author – sorry): There are more sharks than dolphins. The author divided the business people into three categories:

• Sharks: Aggressive, trying to make their own way with elbows out.
• Carps: Doing there job at the minimum level, nothing else.
• Dolphins: Jumping out of the water, trying to detect new horizons (and, by the way, very willing to kill the holy cows of other people – I liked that…).

And dolphins are what is needed to detect new horizons, with some carps making things real and the sharks selling it. But lemmings seem to avoid dolphins, for some reason.

German vendor Beta Systems, one of the well established vendors in the core IAM market, e.g. provisioning (notably, they provide other solutions as well), has recently unveiled the new version of its provisioning product, now called SAM Enterprise Identity Manager – in contrast to its former name SAM Jupiter. That highlights that this product is part of a specific market segment, the identity provisioning products – most of them are named “Identity Manager”. It as well shows that Beta Systems understands this release as a really major release.

And, in fact, it is. Amongst the broad set of new features, there are two really important ones:

• Beta Systems has finally managed to merge the two releases of its product. Until now, there has been a host-based and a Windows/UNIX based version. The new version runs on all platforms and has, in addition, broader platform support as well for databases and other infrastructure components. Thus, maintenance and development right now is easier for Beta Systems. And, furthermore, customers can now much easier pick their platform of choice.
• Beta Systems has added multi-tenancy capabilities, being amongst the first provisioning vendors to do that. That is not only interesting to (external and internal) service providers but as well to large organizations in industries with strong compliance regulations which for example have to enforce different segments of IT administration for different parts of the organization – like sometimes in banks.

I especially like the multi-tenancy approach because that will become a mandatory feature in provisioning tools over time.

These days I have learned that Fischer International Identity has trademarked to pretty generic terms:

• Identity as a Service (TM)
• IaaS (TM)

I wondered (and still wonder) about that. Fischer declared that they have invented that type of business (“a services-based architecture built from the ground-up for the express purpose of cost-effectively delivering identity management capabilities via the Software as a Service (SaaS) model”), built on a SOA architecture, supporting multi-tenancy, being able to work across firewalls. Honestly: Yes, they are an innovator in that space.

Unfortunately, that isn’t the only technology to which the terms mentioned above are applied. There are many different identity services. External identity providers for OpenID, strong authentication services, SSO for the cloud,… – to all these services the terms IaaS (TM) and Identity as a Service (TM) are frequently applied. And if you look at Application Security Infrastructures, then it is as well about providing identity services.

Thus, I agree with Fischer that they are sort of a pioneer in providing “provisioning as a service” (which would be PaaS) but I don’t agree with their view on that they have invented they entire market space for which these terms are used today. Anyhow, it is a little like Daimler having trademarks on “car”, “Automobil”, and other related terms, isn’t it!?

On the other side: Maybe I shouldn’t bash on Fischer for trademarking (why not try to get them?), but the ones on the governmental side which have agreed to trademark these very common terms. What will be next? SaaS (TM)? Cloud Computing (TM)? I really can’t understand that such common terms are trademarked (and I will use some related but somewhat different terms in the future). However, anyone who uses these terms has to attribute ownership of the mark to Fischer International Identity, like they have stated. Let’s look how they deal with the trademarks in practice. And be careful when using these terms.

To comply with the trademarking stuff: Identity as a Service (TM) and IaaS (TM) are trademarks owned by Fischer Internation Identity.

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that they have some other interesting solutions in the GRC space, especially for analytics and dashboards, IBM definitely improves its positioning in that emerging market segment.

So the GRC stuff is one of the new areas in TIM 5.1. That’s nice, but we have seen that before. Many vendors have either added such features to their products or have released separate GRC platforms – with advantages and disadvantages in both approaches. IBM in fact has tied in that area.

Much more interesting is the addition of PIM capabilities to a provisioning solution. Even while not every aspect of PIM will be solved by what TIM 5.1 delivers, that fulfills my expectations of PIM becoming more and more part of provisioning tools – which is just logical, given that it is about managing accounts. IBM is the first vendor in the market who delivers an integration in that area. Novell might become a close follower given that they have recently acquired a PIM vendor.

With these additions, IBM would have gould reasons to name the release of TIM as version 6.0 instead of 5.1. But understanding the reasons for version numbers is definitely amongst the hardest things in IT.

However, IBM shows that they are intensively acting to improve their positioning in the IAM and GRC market space. Being one of the first big companies which had entered that market, there hasn’t been that much evolution for some time. But now IBM is definitely back and moving forward significantly, acting as a strong competitor for the other players in the market. And once they deliver on full GRC solutions, beyond IAM-GRC and access controls (and IBM is amongst the ones who might deliver on that given their strengths in areas like SIEM, ITSM, and others…) IBM might even further improve its positioning.

Today Oracle announced that they will acquire Sun. That isn’t a real surprise to me. When the potential acquisition of Sun by IBM has been discussed some weeks ago, I’ve been asked about my view on that. From my perspective that would have been mainly a market share deal. And when big market share deals are discussed, Larry Ellison isn’t far away. Thus I’ve said at that point of time that Oracle might as well make a bid. The third company I had in mind was Cisco, but they have missed that opportunity (which would have improved their strategic positioning significantly).

Right now, Larry Ellison has made it again. And from his perspective, that makes sense. He acquires market share in the application infrastructure and IT infrastructure market, and he gains access to much more Java intellectual property. Despite some overlaps in the portfolio, Oracle benefits from that. They become the “Java company” and they have acquired several other interesting pieces of software. Regarding Solaris, the advantages aren’t that obvious. But at least Oracle has an own operating system right now which might become interesting for appliances and for other new types of solutions. The other way round, Solaris might benefit from other Oracle offerings as part of larger packages or enterprise license agreements – and given that Oracle right now is a hardware vendor as well, they might provide interesting bundles to their customers.

It is noteworthy that Oracle doesn’t talk much about the hardware business in the initial press release. But the sentence of “Oracle will be the only company that can engineer an integrated system – applications to disk – where all pieces fit together…” is an indicator of Oracle planning to keep the hardware business and not to sell it. And given the opportunities for selling larger projects, for the appliance market, and for future cloud offerings (based on own hardware), there is some potential in that combination.

Specifically for IAM and GRC, there are some overlaps. But there are also specific strengths in both portfolios, with for example the very fast Sun Directory Server - and with the installed base of Sun. Anyhow, customers will have to carefully analyze the combined roadmaps of both companies. There are overlaps and that might lead to scenarios where customers have to migrate at some point of time in the future.

Cloud Computing will be the next big paradigm shift in IT. I have no doubt about that. But like with in many other cases, there is first of all a vision, then a buzzword, then some basic technology – and then people start to think about things like reliability and security. The same is true with Cloud Computing. There are many services out there, but IAM and GRC for the cloud are heavily underestimated.

That is somewhat funny given that some of these services appeared in the big New Economy bubble some ten years ago. Salesforce.com is just one example, some of the online conferencing providers are as well in the market for years now. But only few of them support at least basic standards like SAML (Security Assertion Markup Language) for Identity Federation. And many still lack the support for such standards, not to talk about more advanced approaches like Information Cards or XACML.

Beyond the fact of missing support for existing standards, there is the issue of missing standards. There are virtually no standards for GRC, for example for auditing and alerting (and SNMP isn’t the solution for the cloud). Even XACML is more sort of a technical standard, which needs a lot of additional work to really support the authorization management issues in the cloud.

There are some additional offerings for example for Single Sign-On to the cloud, there are some identity providers for the very lightweight OpenID and even less for Information Cards, and there are few offerings for Identity Provisioning from the cloud, e.g. managed services for Identity Management. Some of the more interesting vendors in the market are, amongst others, companies like Fischer (Provisioning), Ping Identity (Federation), TriCipher (Authentication), Arcot Systems (Authentication), Multifactor Authentication (again Authentication), and Fun Communications (Information Cards). But the number of offerings is still relatively small.

On the other hand it is obvious that IAM and GRC will become a very fast growing segment of the IT market, for ISVs as well as for Identity Providers. And it will be as well an interesting opportunity for consultants supporting all the other providers in the cloud in enabling their applications for the IAM and GRC requirements of their customers.

To become successful as a provider in the cloud, the “externalization” of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can’t afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today.

The entire industry, e.g. cloud providers as well as customers and IAM/GRC vendors have to work together on this. Feel free to send me your ideas and proposals on this – we’re currently preparing a launch of a standards initiative on some IAM/GRC issues and that might be the next one.

More on IAM and GRC for the Cloud at the European Identity Conference 2009 (Munich, May 5th to 8th).

Novell has announced that they have acquired the technology for privileged account management (PAM) from Fortefi Ltd. PAM addresses the need to better manage privileged accounts. It is a broad field, starting with root account management in the Unix and Linux environments and reaching out to technical user accounts, system users and local as well as domain administrators in Windows environments or database and other system administrators. There are many privileged accounts out there. And these accounts frequently aren’t well managed, despite the fact that they either have full access or at least at lot of access rights. Sometimes they are used by several persons, there passwords becoming (sort of) public. Frequently, no responsibility for these accounts is assigned to a user. A consistent lifecycle management often is missing.

Thus it is no surprise that auditors are analyzing the state of PAM more often than in former days. Missing PAM is a risk, opening the door for insider attacks – and sometimes making outsider attacks more easy and more hazardous. Companies have to act on this.

Over the years, a pretty segmented PAM market has evolved. Some companies only address the Unix/Linux root account management, others focus on Windows accounts. Most of these solutions are point solutions, even while the management of privileged accounts should be a part of the overall identity/account lifecycle management. Thus it is no surprise, that Novell as an established vendor in that market has acquired a PAM vendor. We have predicted this before, for example in our “Trend Report IAM and GRC 2009-2019“. And we expect other established IAM vendors to enhance their portfolios as well. Thus, the Novell deal with Fortefi might be the first one in a wave of acquisitions.

There are two important things to note:

1. Novell has done a step into this market, but the solution which focuses on Linux/Unix root accounts doesn’t fully solve the requirements. There are many other privileged accounts out there which have to be managed. Novell will have to go beyond the Fortefi solution.
2. When an IAM vendor acquires PAM technology, the logical next step is to integrate the technology with their Identity Lifecycle Management offerings, going beyond the standalone approaches which are most frequently found in the PAM market today.

Overall, the Novell acquisition will have a significant impact on the PAM market, which today is (as mentioned) segmented and where most (but not all) of the vendors are relatively small and pretty specialized.

There is no doubt: We are in economic turmoils. And no one really knows when things will become better again. It is definitely interesting to observe what is happening from a risk management perspective (Why didn’t governments have pre-defined actions prepared? Why didn’t financial institutions understand the risks or, if they understood them, why were they willing to take them? What happened with all the positive cash-flow of many organizations which are now in trouble – too much dividends?). But that isn’t my topic here. The topic is why organizations should invest in IAM and GRC – especially in these days. From my perspective, there are good reasons. And, from what I hear from vendors, especially the GRC market is still very strong, as well as at least many segments of the IAM market.

From an enterprise perspective, investments in these days should be even more focused on business value than in good days – maybe a little bit more on short-term values than before. Regarding IAM and GRC, there are – for sure – the negative inhibitors. Auditors might mandate some investments especially for SoD management, PAM (Privileged Account Management), and defined, auditable Identity/Access/Role Lifecycle Management.

But there are as well positive aspects. To name just a few:

• Using clearly defined role concepts reduces the amount of single entitlements which have to be managed, thus reducing the overall administrative workload.
• Management by risk is sort of “management by exceptions”, focusing on the aspects which are really at risk. That’s more efficient, for sure.
• Any initiative in the area of IT risks supports Operational Risk Management. Any IT risk is, in fact, tied to an operational risk. On the other hand, virtually any operational risk is related to IT risks because IT systems are used to run the business. Very easy: Why do we talk about SoDs? Because of IT? No – because of business.
• IAM and GRC are key to the flexibility of IT and to support changing business requirements, especially in industries which have to react fast on changing customer demands (and who hasn’t)? Changing business processes requires a flexible security and identity infrastructures as well as flexible controls – that’s what IAM and GRC are providing. Some BPM and non-IAM-aware SOA approaches aren’t sufficient.

I’ve blogged also several times about the CIO agenda. It is obvious that from the things which are top at the CIO agenda, many are tightly related to IAM and GRC. Any initiative towards cloud computing requires a strong IAM and GRC backing, because IAM and GRC will become much more complex when using as well internal services as cloud services.

These are just some few reasons. IAM and GRC are an important foundation for any enterprise IT. And you shouldn’t build your IT on sand.

We will have some webinars around these topics. The first one will be in German language, naming 10 good reasons to invest in IAM and GRC. You can register now. We will do the same webinar in English some weeks later and additional webinars on how to do lean, focused IAM and GRC projekts as well. Another interesting place to learn about these topics is, for sure, the 3rd European Identity Conference held in Munich May 5th to 8th. The place to be!