31.07.2014 by Martin Kuppinger
A while ago I blogged about IBM being back as a leader in the IAM/IAG (Identity Access Management/Governance) market. Today the news that IBM is to acquire CrossIdeas, an Italian vendor in the Access Governance market, hit the wire.
CrossIdeas is a key player in Access Governance in its home market, but also had some recent success in other markets, both in Europe and the U.S. The company originally started in authorization and role management. Over time, CrossIdeas – formerly known as Engiweb Security before a management-buy-out – added further capabilities. At the center of their solution today is their activity-based approach on SoD (Segregation of Duties) which relies on activities within business processes to model SoD rules. This approach allows auditors and business departments creating and editing SoD rules without specific IT knowledge.
Aside of the strength in role mining/modeling and the SoD approach (which notably provides sophisticated support for SAP environments), CrossIdeas’ product IDEAS also provides a well thought-out approach on access risk analysis and management. Furthermore, there are standard capabilities for Access Governance such as Access Recertification.
Furthermore, IDEAS provides a standard integration with IBM Security Identity Manager, which has been deployed at customers before.
From IBM’s perspective, CrossIdeas and its IDEAS product add several important capabilities to the IBM portfolio. The strength in managing SoDs from a business perspective relying on business process knowledge is one of these. Access risk management is the other. Combined with the existing integration with IBM Security Identity Manager, IDEAS can provide immediate benefit to IBM. It fits well into IBM’s strategy on IAM/IAG, enhancing IBM’s offerings for “policy-based Identity and Access Analytics”.
From KuppingerCole’s perspective, IBM is further strengthening its position in the IAM/IAG market. Being “ready-to-use” based on the existing integration, we expect to see further integration at all levels – platform technology, user interfaces, etc. – into the IBM IAM/IAG portfolio quite soon.
My final paragraph of the other blog linked at the beginning has been:
I always appreciate strong competitors in a market – it helps drive innovation, which is good for the customers. The IBM investment in IAM is also a good indicator of the relevance of the market segment itself – IAM is one of the key elements for Information Security. IBM’s strategy also aligns well with my view that IAM is just one part of what you need for Information Security. Integration beyond the core IAM capabilities is needed. So, in light of IBM’s current news around IAM, I think it is worth having a closer look at them again.
Nothing to add to this.
Related KuppingerCole Research
Leadership Compass Access Governance
Executive View IBM Security QRadar
Leadership Compass Dynamic Authorization Management
Leadership Compass Identity Provisioning
Buyer’s Guide Access Governance and Identity Provisioning
Advisory Note Access Governance Architectures
Executive View IBM Security Access Manager for Enterprise Single Sign-On
Product Report CrossIdeas IDEAS
03.07.2014 by Martin Kuppinger
Earlier this year, I published the Buyer’s Guide: Access Governance and Provisioning. That document provides condensed information about key selection criteria for Identity Provisioning and Access Governance products, while also posing questions that buyers should ask of vendors.
I focused on “top 10 non-functional selection criteria” or “top 10 questions to ask the vendors”. As always with such lists that focus on the top xx, some aspects are not covered. The feedback I got so far adds some interesting aspects.
One is localization, i.e. support for different languages, character sets, etc. Given that, in particular, Access Governance is a business user application, it must be localized. Thus, questions such as the following ones might be considered:
- Which languages are supported by the end user interfaces? (maybe with a list of languages a buyer specifically needs)
- Can further languages be added?
- Is there support for double-byte characters in the user interface and the search capabilities?
The second are is reporting. This is not only about advanced “Identity/Access Analytics”, but also about basic reporting capabilities. Questions to ask here are, for instance:
- How do you modify an existing report?
- How do you implement a new one?
- Do the reports support multiple languages? Can this be implemented?
Clearly, there are far more criteria to look at when doing a thorough product selection. That is why the Buyer’s Guide is only one part of KuppingerCole services. Leadership Compass documents help in identifying relevant vendors and their particular strengths. Other reports such as Product Reports and Executive Views dive into more detail. Our advisory services include IAM/IAG maturity analysis, i.e. understanding the maturity of the current state of your IAM/IAG program, but also support the selection of vendors, backed by comprehensive, fine-grained questionnaires for RFI (Request For Information) processes. Just talk with my colleagues at email@example.com if you need more than the Top 10 questions.
26.11.2013 by Martin Kuppinger
It has been somewhat quiet around IBM’s IAM offering for the past few years. Having been one of the first large vendors entering that market, other vendors had overhauled IBM, being more innovative and setting the pace in this still emerging market.
This seems to be over now and IBM is showing up amongst the IAM leaders again. Since IBM launched its IBM Security division as part of their software business and moved the IAM product from the Tivoli division into that new division, things have changed. The IBM Security division not only is responsible for the IAM products, but a number of other offerings such as the QRadar products.
IBM has defined an IAM strategy that brings together their capabilities in Security Intelligence – such as the IBM X-Force services and the QRadar products – with IAM. The core of IAM still is formed by familiar products (if you replace “Tivoli” with “Security”), such as the IBM Security Access Manager, the IBM Security Directory Integrator, the IBM Security Identity Manager, and others. However, IBM has put a lot of work in these products to improve them and to make them leading-edge (again, in some cases).
There have been four recent announcements. One is the IBM Security Access Manager for Mobile, an appliance that allows managing mobile access, provides SSO services and risk- and context-aware access, based on information such as the IP reputation – that is where, for instance, IBM X-Force comes into play.
IBM has also introduced their own Privilege Management solution, IBM Security Privileged Identity Manager, to manage shared accounts and add strong authentication. The interesting piece there is the tight integration with QRadar to analyze real-time activity of privileged identity use.
The third major announcement is what IBM calls the IBM Security Directory Server and Integrator. Here they bring together Directory Services and Identity Federation – plus QRadar integration. Integrating federation and directory services allows managing more identities, such as external users, as well as reaching out to Cloud services.
Finally, IBM has extended their IBM Security Identity Manager – the former Tivoli Identity Manager – and added advanced analytical capabilities as well as integration with QRadar security intelligence. The latter allows for better analysis of real-time attacks and fraud detection. While such integration is not entirely new, if you look for instance at NetIQ Identity Manager and Sentinel integration, it highlights the fact that IBM is moving forward with its IAM offerings rather quickly now, showing innovation in various areas and having a clear execution strategy.
I always appreciate strong competitors in a market – it helps drive innovation, which is good for the customers. The IBM investment in IAM is also a good indicator of the relevance of the market segment itself – IAM is one of the key elements for Information Security. IBM’s strategy also aligns well with my view, that IAM is just one part of what you need for Information Security. Integration beyond the core IAM capabilities is needed. So, in light of IBM’s current news around IAM, I think it is worth having a closer look at them again.
08.07.2013 by Martin Kuppinger
Today RSA Security, a part of EMC [officially it’s “RSA, The Security Division of EMC”], has officially announced the acquisition of Aveksa, a company based in Waltham, MA. The deal closed on July 1st, 2013. Aveksa is a leading provider in the area of Identity and Access Governance (IAG), as depicted in our KuppingerCole Leadership Compass on Access Governance. Aveksa will continue to operate under the current leadership of its CEO Vick Viren Vaishnavi and will be part of the RSA Identity Trust Management business. Aveksa currently has approximately 175 employees.
One might ask why RSA did not enter the “core IAM” business earlier, when it was mainly Identity Provisioning, but for some years now that core has been complemented by and shifted towards IAG. Many people had expected such a move from RSA, given that they deliver in several other areas of the IAM market, including Strong Authentication, Versatile Authentication, Access Management and Federation. With the Aveksa acquisition, RSA definitely has made a move in that direction.
Instead of focusing on the traditional Identity Provisioning market, they focused on the emerging IAG market segment. Aveksa delivers some built-in provisioning capabilities but clearly does not have the breadth of connectors that the key-players in that market segment provide. However, with IAG increasingly becoming an integration layer for existing “legacy” provisioning tools, Aveksa has emerged as a major player. By adding some provisioning capabilities, customer requirements can be typically covered. Aveksa builds here on an enterprise-grade approach based on an Enterprise Service Bus (ESB) as the transport layer. Support for manual fulfillment is another important approach. Simply said: The number of connectors is not the key decision guage. The main measure is the support for a structured and user-friendly approach to Access Request Management, Recertification, and Access Analytics, including the underlying Enterprise Role Management.
However, the real potential of that acquisition is not that RSA as of now can provide a solution for IAG. The potential is in combining the capabilities of both companies to open new grounds for Access Governance, beyond that which is common today. In my presentation about “Redefining Access Governance: Going well beyond Recertification” at EIC 2013, I talked about eight areas of advancement for IAG – and I admittedly missed one in that list that I covered in other presentations, which is IAG for Cloud Services. The video recording of the session is available online.
There is much room for improvement. Aveksa is a strong player in IAG. RSA adds not only Access Management and Federation, but strong and versatile authentication. And there is RSA Archer, an Enterprise GRC solution. The combination of RSA and Aveksa is, by the way, the only one in the market where strong authentication and IAG come together in one vendor. That will allow creating Access Governance for risk- and context-based authentication and authorization, the next big trend in IT. My colleague Dave Kearns and myself both talked about that topic at EIC 2013 and Dave will do a Webinar on this topics later this month. Governing the rules for such environments and adding analytics for that is a field of high interest. And this is clearly not the only area where both companies can leverage synergies, given the tight relationship between cyber-attacks and Access Management and Analytics.
RSA and Aveksa have started talking about some promising ideas, even in the context of EMC. EMC can add Big Data capabilities that allow moving IAG to the next level when it comes to analytics. And not only that: Combining authentication information, external threat intelligence, risk analytics etc. – all in the combined portfolio – might lead to game-changing offerings.
So there is strong potential. Let’s see whether, how, and when RSA delivers on this potential. Still, when looking at acquisitions the other important question is: What does it mean to existing customers? The good thing is that there is virtually no overlap between the current product portfolios of these two companies. Thus, there are no products that are likely to be discontinued. In fact, for RSA customers there is really the chance for new and advanced offerings. For existing Aveksa customers, the acquisition means that their supplier right now is not a niche player anymore but part of a far larger vendor, with substantial financial backing and a far broader portfolio. Thus, there is a strong potential that this turns out to be positive for existing Aveksa customers.
But as always: Only time will tell.
25.03.2013 by Martin Kuppinger
Recently I had some conversations with both vendors and customers about licensing models for IAM (Identity and Access Management) software. Historically, most licensing models were (and still are) based on the number of users, typically “named” users (rather than “concurrent” users). License models based on the number of concurrent users are rather unusual for IAM.
Nowadays, I observe some shift towards models that are based on the number of connections or even processor-based. The number of connections is a metric that shows up in federation products, where the connection typically is defined as “a connection from the federation hub to a target system, either Identity Provider or Service Provider”. However, vendors might also focus on “concurrent connections” in the sense of users federating. I have also seen approaches that are about billing per connection, i.e. based on the actual use of a federation service, in cloud-based offerings.
I also have been involved in discussions between customers and vendors about dealing with externals (contractors, clients, vendors, etc.). When looking for an Identity Provisioning or Access Governance solution with focus on the employees, a licensing model based on named users is straightforward. It is predictable. However, once the number of external identities grows, the question of changing the metric arises. Should an external user that typically has somewhat limited access cost as much as the regular, internal user? I have seen different approaches ranging from the full fee to a percentage of the regular user fee or even flat rates for external users.
Finally, there is the discussion about classical license-plus-maintenance models versus subscription-based models without the initial fee but a constant annually rate to pay.
So what is the best model? Honestly, I do not know what the perfect model is. I even doubt that there is the perfect model for licensing. However, both vendors and customers should concentrate on the characteristics of a “good” licensing model, besides the fact that the vendor wants to earn as much as he can and the customer wants to pay as little as possible. These are, from the customer perspective
- Flexibility for adopting the model as needs change
- Flexibility to change the vendor
The first one probably is the most important one. Customers need to be able to calculate the cost in advance. That works well for flat rate models, but it does not work for models where either the user base can grow massively – think about the Identity Explosion – or which rely on the use of a service. Models that are based on a flat fee for external users, an overall flat fee (does not work well for vendors in most cases) or other factors like the number of connections to IdPs and SPs fulfill that requirement. Also processor-based licensing works quite well because it scales slowly and in a predictable manner.
The flexibility to adopt models as needs change – by both scaling up and scaling down – is another important factor. However, this again is about predictiveness. Adding new groups of users, new systems, etc. must be predictive. Doing that right can be rather attractive for customers, when they can start small with a one or two partner case and then add other federation partners or systems subsequently, with a fixed cost per added partner/system.
The flexibility to change the vendor clearly is not in the interest of the vendor, but the customer. The initial license fee is an inhibitor for change. When you have to pay 500,000 € or US$ in advance just for licenses, it is much more difficult to build the business case for switching to another vendor than when relying on subscription-based models with a lower “entry fee”.
I recommend both vendors and customers to consider these criteria when looking at pricing models and rethinking existing business models. The most important question is: will success become too expensive? Or, in other words: will the Identity Explosion destroy my calculation? Overall, I see a shift away from purely user-based licensing in most disciplines of IAM. Dealing with more types of users requires different answers.
19.03.2013 by Martin Kuppinger
Having published our second KuppingerCole Leadership Compass (on Access Governance) some ten days ago – with many others in the pipeline – I want to look at a blog post Michael Rasmussen, a former Forrester analyst and now an independent GRC expert, published in October 2012.
I do not want to comment on the Gartner Magic Quadrant and MarketScope or the Forrester Wave. I also do not fully share the opinion of Michael Rasmussen on these. His major complaint is that documents like the ones mentioned tend to be too mono-dimensional for the needs of the customer. From my perspective, there is a value in all of these documents, if used the right way. Clearly, it is not only about picking the upper left vendor – he might be the best in the overall, condensed analyst view. Nevertheless, he is not necessarily the best one for the problem a customer wants to solve. However, for identifying a long-list of vendors, such views are quite helpful.
In our Leadership Compass documents, we take another approach. There are four categories of leaders:
- Product Leaders (Product features, maturity, etc.)
- Market Leaders (Number of customers, ecosystem, global reach, etc.)
- Innovation Leaders (Current – not past – innovativeness, support for upcoming requirements, etc.)
- Overall Leaders (Combined rating)
Beyond that, we have matrices that relate product and market leadership, product and innovation leadership, and market and innovation leadership. This allows, for example, identifying vendors that are highly innovative but still have some way to go to become both product and market leaders. For some requirements, these vendors might be the best pick. Others might opt for the ones that are current product and market leaders, even while some of them might not be highly innovative.
Michael Rasmussen illustrated this in his post by noting that some customers might need a GRC vendor that is strong in Risk Management, while others might look for one with a particular strength in Audit or Policy Management.
I fully agree. However, from my perspective the customer not only needs that information, he needs a view that relates a particular strength (or weakness) to the overall product rating. A customer might start with a focus on a particular challenge, like Risk Management for Enterprise GRC products. However, over time he will in most cases need a product offering that serves all other Enterprise GRC aspects as well, at least at an adequate level. We provide that information in the additional matrices we have added to the KuppingerCole Leadership Compass on Access Governance. We will add them to upcoming Leadership Compass documents as well.
The figure above gives one example. This view shows the strength of products for SAP-specific requirements on Access Governance – the depth provided for SAP environment – in relation to the overall product rating. While the Product Leaders are the ones on the right side, the best products for SAP-specific Access Governance are the ones more to the top. SAP GRC is the clear leader when it comes to SAP-specific features, but it is not the leader when it comes to overall Access Governance functionality for heterogeneous environments.
When looking at that matrix, a customer can opt for a solution that is fairly good in both areas. He might also opt for a combined solution where he picks a specific solution for the SAP environment and another one for “the rest of the world”.
These matrices add information and provide a multi-dimensional view of the market. Michael Rasmussen is right in his complaint that not all of the products in a market segment can be easily put into the same box. However, defining market segments and identifying players therein is important for customers when they start solving a challenge and looking for vendors.
One thing I want to add: Documents such as our KuppingerCole Leadership Compass are just one of many aids customers should use in making decisions. Besides strategy, guidelines, processes, and organization, a vendor selection process needs several stages. Documents like the Leadership Compass assist in identifying long-list vendors and even short-list vendors. However, they cannot replace further evaluation, with request for information based on the specific challenges of the customer or a PoC. That is why we provide both the KuppingerCole Leadership Compass and additional advisory services to support the customer in these subsequent stages.
13.08.2012 by Martin Kuppinger
A recent discussion in the LinkedIn group “Identity Management Specialists Group” asked for the personal opinion about what is the best IdM product out there. Besides the fact that it listed only five products to choose from in a survey, this question, from my perspective, is the wrong question. If I just take the question, my answer would simply be: “None”. There is no “best product” in that market. There is only the product best suited to solve the customer’s problem. And by the way: What is IdM? OK, this is an abbreviation for “Identity Management”, which is better understood as Identity and Access Management, given that access is a bigger issue than identity. I don’t say that identity is a small challenge, but at the end of the day, business mainly cares about access.
Within the discipline of IAM we have a pretty broad range of different market segments, including Identity Provisioning, Access Governance, Access Management and Federation, Privilege Management, Enterprise Single Sign-On, and several others. IdM or IAM definitely is more than just Identity Provisioning. But to understand which technical building blocks a customer really needs, you need to understand his challenges. What is he really looking for? So it again comes down to: There is no best product, there is only the product (or set of products) which fits to the needs of the customer.
But then another aspect comes in: IAM is not really a technical issue. So raising the question for the best product ignores the fact that IAM mainly is about organization, about guidelines and policies, and about processes. Without having them defined you neither have the criteria for choosing a product nor a chance for a successful IAM initiative. You might “successfully” deploy a product, but it is about successfully implementing IAM processes in the organization. Simply said: technology follows organization.
On the other hand, if you have properly defined your organization, guidelines, policies, and processes, you will observe that most likely no product will meet all of your criteria out-of-the-box but several products will be able to serve your needs. So the relevance of “the best product” diminishes. There are products which just don’t fit your requirements. But most likely there will be some that will fit. In those cases the decisions might be much more about trust in a vendor and its capability and willingness to support your organization in implementing the product the way you want to have it then it will be about technical capabilities of a product.
So even if there were a best product, your implementation of it might fail because the product doesn’t fit to your requirements. My most important advice thus is: Understand your requirements. Define the organizational “framework” around them. And then pick the product(s) and ensure that implementation follows your specifications. Then you will most likely succeed. When just looking for technology, you might succeed in deploying technology, but chances are high that you fail in implementing IAM in your organization.
03.07.2012 by Martin Kuppinger
Dell today announced that they have a definitive agreement to acquire Quest Software. Quest Software then would form the core of the software division of Dell, which until now was pretty small. There were some business units like Dell Boomi (www.boomi.com), but no real software business.
The decision to acquire Quest Software is an interesting move which, from my perspective, makes a lot of sense. Quest’s strengths are in the areas of Identity and Access Management/Governance with their Quest One Identity portfolio and around Systems Management, particularly Windows Management, Performance Management, and Database Management. That fits the needs of the market and a company which until now has been mainly a hardware vendor. Aspects like Security (until now Dell SecureWorks and SonicWALL), Data Protection, Systems Management (Dell KACE), and Application “Modernization” (to use the Dell term) will be moved to a much higher level.
In addition, Quest Software as a company with close to 900 Mill. US$ of revenue in 2011 and nearly 4,000 employees is big enough to become a starting point for a quick growth in the software business. For Quest Software, this probably is more an opportunity than a risk – the same is true for Quest customers. The biggest risk is that companies (like Dell) without a history in the software business sometimes struggle with understanding the differences in business models, compared to their existing business. By not only acquiring small vendors and trying to build such an organization from scratch but hunting for a bigger vendor like Quest Software, Dell took another approach. They now have a big enough nucleus to further grow their software division.
On the subject of integrating acquisitions, especially software acquisitions, if Dell can keep Quest’s product management folks they have more experience at integrating acquisitions than anyone, except possibly Oracle. If they can’t keep them, and if hardware people are put in charge, then risks will increase massively. So Quest itself probably is best in integrating themselves into Dell – and potential future acquisitions into the Dell software division.
From our perspective, this acquisition is an important, strategic, and valid move of Dell and it is of little risk for existing Quest Software customers – on the contrary, we expect that Quest will be able to grow faster than before and that there is a good chance of Quest as part of Dell making its way towards a strategic software vendor for larger customers.
19.12.2011 by Martin Kuppinger
During the past few years, Quest has acquired several other IAM vendors: Völcker Informatik (Provisioning and Access Governance), Symlabs (Virtual Directory Services), Vintela (Linux/UNIX Authentication and Integration), and e-DMZ (Privileged User/Account Management) are just some examples of this shopping spree. The newest addition to the Quest portfolio is Bitkoo, a vendor in the Dynamic Authorization Management space (http://jacksonshaw.blogspot.com/2011/12/quest-acquires-bitkoo-and-dives-into.html).
This acquisition comes as no surprise given that Dynamic Authorization Management is one of the most interesting amongst the emerging segments within the IAM market. Dynamic Authorization Management is about externalizing authorization decisions from single applications and performing them against centralized backend systems, based on centralized rules. Instead of hard-coding security into applications and instead of having to maintain authorization rules in a lot of different applications, Dynamic Authorization Management systems build the backend for such decisions.
Dynamic Authorization Management thus is a core piece of identity and security services and “Application Security Infrastructures”, i.e. the set of services applications rely on when externalizing identity and security. Such services include administration (for example using central directory services), authentication (best based on versatile, context-/risk-based authentication), authorization (Dynamic Authorization Management), and auditing/alerting. The latter is sort of the missing piece, and in that area there is a lack of standards. But that is a topic I’ll cover in another post.
So Quest has acquired Bitkoo. That is not surprising given that Bitkoo fits well into the Windows-centric strategy of Quest. It adds to the portfolio, making Quest one of the vendors with a comprehensive portfolio of IAM solutions. Quest is, from the breadth of its portfolio, playing in the same league as the well-known big vendors in that space like CA, IBM, and Oracle (which, by the way, all have something to offer around Dynamic Authorization Management). Quest has shown a clear strategy in acquiring other vendors over the past years. Now it’s up to Quest to tell this message to the world, proving that they are more than the corner store selling a mish-mosh of tools for administrators. Quest has another portfolio now – and that makes them a really interesting competitor in that market.
This acquisition will most likely also increase the attention on Axiomatics, the most prominent specialized vendor left in the market of Dynamic Authorization Management. Axiomatics is on one hand the independent alternative – and on the other hand the obvious acquisition target number one now that Bitkoo is part of Quest.
23.09.2011 by Martin Kuppinger
Today Microsoft announced that they have acquired technology assets from BHOLD, a dutch vendor of Access Governance technology. Microsoft thus now owns technology which has been missing in their IAM portfolio until now. Microsoft thus enters the Access Governance market. Whether that will happen through enhancements of their existing FIM 2010 product or by adding another product based on the BHOLD technology hasn’t been announced yet. Anyhow, the deal will change the Access Governance market, particularly regarding the offerings which are targeted to complement Microsoft FIM.
KuppingerCole will follow up on this news and provide further information as soon as it is available. Overall, this acquisitions proves that Microsoft continues investing in the broader IAM space and thus rates this market segment as important to their customers. For existing BHOLD customers, the acquisition provides new opportunities given that they are working with a much bigger vendor now. However, the impact on existing customers can be rated first when the Microsoft roadmap is unveiled. In general we recommend existing BHOLD customers to stay calm until more information is available. For customers investing or planning to invest into FIM 2010, the acquisition is definitely good news because it means that FIM will grow beyond the somewhat technical approach into a more business-oriented solution over time. However, without the roadmap being unveiled it is hard to predict when Microsoft customers really will benefit.