IAM@IBM: Finally back to leadership

26.11.2013 by Martin Kuppinger

It has been somewhat quiet around IBM’s IAM offering for the past few years. Having been one of the first large vendors entering that market, other vendors had overhauled IBM, being more innovative and setting the pace in this still emerging market.

This seems to be over now and IBM is showing up amongst the IAM leaders again. Since IBM launched its IBM Security division as part of their software business and moved the IAM product from the Tivoli division into that new division, things have changed. The IBM Security division not only is responsible for the IAM products, but a number of other offerings such as the QRadar products.

IBM has defined an IAM strategy that brings together their capabilities in Security Intelligence – such as the IBM X-Force services and the QRadar products – with IAM. The core of IAM still is formed by familiar products (if you replace “Tivoli” with “Security”), such as the IBM Security Access Manager, the IBM Security Directory Integrator, the IBM Security Identity Manager, and others. However, IBM has put a lot of work in these products to improve them and to make them leading-edge (again, in some cases).

There have been four recent announcements. One is the IBM Security Access Manager for Mobile, an appliance that allows managing mobile access, provides SSO services and risk- and context-aware access, based on information such as the IP reputation – that is where, for instance, IBM X-Force comes into play.

IBM has also introduced their own Privilege Management solution, IBM Security Privileged Identity Manager, to manage shared accounts and add strong authentication. The interesting piece there is the tight integration with QRadar to analyze real-time activity of privileged identity use.

The third major announcement is what IBM calls the IBM Security Directory Server and Integrator. Here they bring together Directory Services and Identity Federation – plus QRadar integration. Integrating federation and directory services allows managing more identities, such as external users, as well as reaching out to Cloud services.

Finally, IBM has extended their IBM Security Identity Manager – the former Tivoli Identity Manager – and added advanced analytical capabilities as well as integration with QRadar security intelligence. The latter allows for better analysis of real-time attacks and fraud detection. While such integration is not entirely new, if you look for instance at NetIQ Identity Manager and Sentinel integration, it highlights the fact that IBM is moving forward with its IAM offerings rather quickly now, showing innovation in various areas and having a clear execution strategy.

I always appreciate strong competitors in a market – it helps drive innovation, which is good for the customers. The IBM investment in IAM is also a good indicator of the relevance of the market segment itself – IAM is one of the key elements for Information Security. IBM’s strategy also aligns well with my view, that IAM is just one part of what you need for Information Security. Integration beyond the core IAM capabilities is needed. So, in light of IBM’s current news around IAM, I think it is worth having a closer look at them again.


RSA acquires Aveksa: Will they redefine the IAM/IAG market?

08.07.2013 by Martin Kuppinger

Today RSA Security, a part of EMC [officially it’s “RSA, The Security Division of EMC”], has officially announced the acquisition of Aveksa, a company based in Waltham, MA. The deal closed on July 1st, 2013. Aveksa is a leading provider in the area of Identity and Access Governance (IAG), as depicted in our KuppingerCole Leadership Compass on Access Governance. Aveksa will continue to operate under the current leadership of its CEO Vick Viren Vaishnavi and will be part of the RSA Identity Trust Management business. Aveksa currently has approximately 175 employees.

One might ask why RSA did not enter the “core IAM” business earlier, when it was mainly Identity Provisioning, but for some years now that core has been complemented by and shifted towards IAG. Many people had expected such a move from RSA, given that they deliver in several other areas of the IAM market, including Strong Authentication, Versatile Authentication, Access Management and Federation. With the Aveksa acquisition, RSA definitely has made a move in that direction.

Instead of focusing on the traditional Identity Provisioning market, they focused on the emerging IAG market segment. Aveksa delivers some built-in provisioning capabilities but clearly does not have the breadth of connectors that the key-players in that market segment provide. However, with IAG increasingly becoming an integration layer for existing “legacy” provisioning tools, Aveksa has emerged as a major player. By adding some provisioning capabilities, customer requirements can be typically covered. Aveksa builds here on an enterprise-grade approach based on an Enterprise Service Bus (ESB) as the transport layer. Support for manual fulfillment is another important approach. Simply said: The number of connectors is not the key decision guage. The main measure  is the support for a structured and user-friendly approach to Access Request Management, Recertification, and Access Analytics, including the underlying Enterprise Role Management.

However, the real potential of that acquisition is not that RSA as of now can provide a solution for IAG. The potential is in combining the capabilities of both companies to open new grounds for Access Governance, beyond that which is common today. In my presentation about “Redefining Access Governance: Going well beyond Recertification” at EIC 2013, I talked about eight areas of advancement for IAG – and I admittedly missed one in that list that I covered in other presentations, which is IAG for Cloud Services. The video recording of the session is available online.

There is much room for improvement. Aveksa is a strong player in IAG. RSA adds not only Access Management and Federation, but strong and versatile authentication. And there is RSA Archer, an Enterprise GRC solution. The combination of RSA and Aveksa is, by the way, the only one in the market where strong authentication and IAG come together in one vendor. That will allow creating Access Governance for risk- and context-based authentication and authorization, the next big trend in IT. My colleague Dave Kearns and myself both talked about that topic at EIC 2013 and Dave will do a Webinar on this topics later this month. Governing the rules for such environments and adding analytics for that is a field of high interest. And this is clearly not the only area where both companies can leverage synergies, given the tight relationship between cyber-attacks and Access Management and Analytics.

RSA and Aveksa have started talking about some promising ideas, even in the context of EMC. EMC can add Big Data capabilities that allow moving IAG to the next level when it comes to analytics. And not only that: Combining authentication information, external threat intelligence, risk analytics etc. – all in the combined portfolio – might lead to game-changing offerings.

So there is strong potential. Let’s see whether, how, and when RSA delivers on this potential. Still, when looking at acquisitions the other important question is: What does it mean to existing customers? The good thing is that there is virtually no overlap between the current product portfolios of these two companies. Thus, there are no products that are likely to be discontinued. In fact, for RSA customers there is really the chance for new and advanced offerings. For existing Aveksa customers, the acquisition means that their supplier right now is not a niche player anymore but part of a far larger vendor, with substantial financial backing and a far broader portfolio. Thus, there is a strong potential that this turns out to be positive for existing Aveksa customers.

But as always: Only time will tell.


How to license Identity and Access Management software?

25.03.2013 by Martin Kuppinger

Recently I had some conversations with both vendors and customers about licensing models for IAM (Identity and Access Management) software. Historically, most licensing models were (and still are) based on the number of users, typically “named” users (rather than “concurrent” users). License models based on the number of concurrent users are rather unusual for IAM.

Nowadays, I observe some shift towards models that are based on the number of connections or even processor-based. The number of connections is a metric that shows up in federation products, where the connection typically is defined as “a connection from the federation hub to a target system, either Identity Provider or Service Provider”. However, vendors might also focus on “concurrent connections” in the sense of users federating. I have also seen approaches that are about billing per connection, i.e. based on the actual use of a federation service, in cloud-based offerings.

I also have been involved in discussions between customers and vendors about dealing with externals (contractors, clients, vendors, etc.). When looking for an Identity Provisioning or Access Governance solution with focus on the employees, a licensing model based on named users is straightforward. It is predictable. However, once the number of external identities grows, the question of changing the metric arises. Should an external user that typically has somewhat limited access cost as much as the regular, internal user? I have seen different approaches ranging from the full fee to a percentage of the regular user fee or even flat rates for external users.

Finally, there is the discussion about classical license-plus-maintenance models versus subscription-based models without the initial fee but a constant annually rate to pay.

So what is the best model? Honestly, I do not know what the perfect model is. I even doubt that there is the perfect model for licensing. However, both vendors and customers should concentrate on the characteristics of a “good” licensing model, besides the fact that the vendor wants to earn as much as he can and the customer wants to pay as little as possible. These are, from the customer perspective

  • Predictiveness
  • Flexibility for adopting the model as needs change
  • Flexibility to change the vendor

The first one probably is the most important one. Customers need to be able to calculate the cost in advance. That works well for flat rate models, but it does not work for models where either the user base can grow massively – think about the Identity Explosion – or which rely on the use of a service. Models that are based on a flat fee for external users, an overall flat fee (does not work well for vendors in most cases) or other factors like the number of connections to IdPs and SPs fulfill that requirement. Also processor-based licensing works quite well because it scales slowly and in a predictable manner.

The flexibility to adopt models as needs change – by both scaling up and scaling down – is another important factor. However, this again is about predictiveness. Adding new groups of users, new systems, etc. must be predictive. Doing that right can be rather attractive for customers, when they can start small with a one or two partner case and then add other federation partners or systems subsequently, with a fixed cost per added partner/system.

The flexibility to change the vendor clearly is not in the interest of the vendor, but the customer. The initial license fee is an inhibitor for change. When you have to pay 500,000 € or US$ in advance just for licenses, it is much more difficult to build the business case for switching to another vendor than when relying on subscription-based models with a lower “entry fee”.

I recommend both vendors and customers to consider these criteria when looking at pricing models and rethinking existing business models. The most important question is: will success become too expensive? Or, in other words: will the Identity Explosion destroy my calculation? Overall, I see a shift away from purely user-based licensing in most disciplines of IAM. Dealing with more types of users requires different answers.


Looking at vendors from various angles – KuppingerCole Leadership Compass

19.03.2013 by Martin Kuppinger

Having published our second KuppingerCole Leadership Compass (on Access Governance) some ten days ago – with many others in the pipeline – I want to look at a blog post Michael Rasmussen, a former Forrester analyst and now an independent GRC expert, published in October 2012.

I do not want to comment on the Gartner Magic Quadrant and MarketScope or the Forrester Wave. I also do not fully share the opinion of Michael Rasmussen on these. His major complaint is that documents like the ones mentioned tend to be too mono-dimensional for the needs of the customer. From my perspective, there is a value in all of these documents, if used the right way. Clearly, it is not only about picking the upper left vendor – he might be the best in the overall, condensed analyst view. Nevertheless, he is not necessarily the best one for the problem a customer wants to solve. However, for identifying a long-list of vendors, such views are quite helpful.

In our Leadership Compass documents, we take another approach. There are four categories of leaders:

  • Product Leaders (Product features, maturity, etc.)
  • Market Leaders (Number of customers, ecosystem, global reach, etc.)
  • Innovation Leaders (Current – not past – innovativeness, support for upcoming requirements, etc.)
  • Overall Leaders (Combined rating)

Beyond that, we have matrices that relate product and market leadership, product and innovation leadership, and market and innovation leadership. This allows, for example, identifying vendors that are highly innovative but still have some way to go to become both product and market leaders. For some requirements, these vendors might be the best pick. Others might opt for the ones that are current product and market leaders, even while some of them might not be highly innovative.

Leadership Compass

Michael Rasmussen illustrated this in his post by noting that some customers might need a GRC vendor that is strong in Risk Management, while others might look for one with a particular strength in Audit or Policy Management.

I fully agree. However, from my perspective the customer not only needs that information, he needs a view that relates a particular strength (or weakness) to the overall product rating. A customer might start with a focus on a particular challenge, like Risk Management for Enterprise GRC products. However, over time he will in most cases need a product offering that serves all other Enterprise GRC aspects as well, at least at an adequate level. We provide that information in the additional matrices we have added to the KuppingerCole Leadership Compass on Access Governance. We will add them to upcoming Leadership Compass documents as well.

The figure above gives one example. This view shows the strength of products for SAP-specific requirements on Access Governance – the depth provided for SAP environment – in relation to the overall product rating. While the Product Leaders are the ones on the right side, the best products for SAP-specific Access Governance are the ones more to the top. SAP GRC is the clear leader when it comes to SAP-specific features, but it is not the leader when it comes to overall Access Governance functionality for heterogeneous environments.

When looking at that matrix, a customer can opt for a solution that is fairly good in both areas. He might also opt for a combined solution where he picks a specific solution for the SAP environment and another one for “the rest of the world”.

These matrices add information and provide a multi-dimensional view of the market. Michael Rasmussen is right in his complaint that not all of the products in a market segment can be easily put into the same box. However, defining market segments and identifying players therein is important for customers when they start solving a challenge and looking for vendors.

One thing I want to add: Documents such as our KuppingerCole Leadership Compass are just one of many aids customers should use in making decisions. Besides strategy, guidelines, processes, and organization, a vendor selection process needs several stages. Documents like the Leadership Compass assist in identifying long-list vendors and even short-list vendors. However, they cannot replace further evaluation, with request for information based on the specific challenges of the customer or a PoC. That is why we provide both the KuppingerCole Leadership Compass and additional advisory services to support the customer in these subsequent stages.


The best product for IdM?

13.08.2012 by Martin Kuppinger

A recent discussion in the LinkedIn group “Identity Management Specialists Group” asked for the personal opinion about what is the best IdM product out there. Besides the fact that it listed only five products to choose from in a survey, this question, from my perspective, is the wrong question. If I just take the question, my answer would simply be: “None”. There is no “best product” in that market. There is only the product best suited to solve the customer’s problem. And by the way: What is IdM? OK, this is an abbreviation for “Identity Management”, which is better understood as Identity and Access Management, given that access is a bigger issue than identity. I don’t say that identity is a small challenge, but at the end of the day, business mainly cares about access.

Within the discipline of IAM we have a pretty broad range of different market segments, including Identity Provisioning, Access Governance, Access Management and Federation, Privilege Management, Enterprise Single Sign-On, and several others. IdM or IAM definitely is more than just Identity Provisioning. But to understand which technical building blocks a customer really needs, you need to understand his challenges. What is he really looking for? So it again comes down to: There is no best product, there is only the product (or set of products) which fits to the needs of the customer.

But then another aspect comes in: IAM is not really a technical issue. So raising the question for the best product ignores the fact that IAM mainly is about organization, about guidelines and policies, and about processes. Without having them defined you neither have the criteria for choosing a product nor a chance for a successful IAM initiative. You might “successfully” deploy a product, but it is about successfully implementing IAM processes in the organization. Simply said: technology follows organization.

On the other hand, if you have properly defined your organization, guidelines, policies, and processes, you will observe that most likely no product will meet all of your criteria out-of-the-box but several products will be able to serve your needs. So the relevance of “the best product” diminishes. There are products which just don’t fit your requirements. But most likely there will be some that will fit. In those cases the decisions might be much more about trust in a vendor and its capability and willingness to support your organization in implementing the product the way you want to have it then it will be about technical capabilities of a product.

So even if there were a best product, your implementation of it might fail because the product doesn’t fit to your requirements. My most important advice thus is: Understand your requirements. Define the organizational “framework” around them. And then pick the product(s) and ensure that implementation follows your specifications. Then you will most likely succeed. When just looking for technology, you might succeed in deploying technology, but chances are high that you fail in implementing IAM in your organization.


Dell to acquire Quest Software – really starting their software business now?

03.07.2012 by Martin Kuppinger

Dell today announced that they have a definitive agreement to acquire Quest Software. Quest Software then would form the core of the software division of Dell, which until now was pretty small. There were some business units like Dell Boomi (www.boomi.com), but no real software business.

The decision to acquire Quest Software is an interesting move which, from my perspective, makes a lot of sense. Quest’s strengths are in the areas of Identity and Access Management/Governance with their Quest One Identity portfolio and around Systems Management, particularly Windows Management, Performance Management, and Database Management. That fits the needs of the market and a company which until now has been mainly a hardware vendor. Aspects like Security (until now Dell SecureWorks and SonicWALL), Data Protection, Systems Management (Dell KACE), and Application “Modernization” (to use the Dell term) will be moved to a much higher level.

In addition, Quest Software as a company with close to 900 Mill. US$ of revenue in 2011 and nearly 4,000 employees is big enough to become a starting point for a quick growth in the software business. For Quest Software, this probably is more an opportunity than a risk – the same is true for Quest customers. The biggest risk is that companies (like Dell) without a history in the software business sometimes struggle with understanding the differences in business models, compared to their existing business. By not only acquiring small vendors and trying to build such an organization from scratch but hunting for a bigger vendor like Quest Software, Dell took another approach. They now have a big enough nucleus to further grow their software division.

On the subject of integrating acquisitions, especially software acquisitions, if Dell can keep Quest’s product management folks they have more experience at integrating acquisitions than anyone, except possibly Oracle. If they can’t keep them, and if hardware people are put in charge, then risks will increase massively. So Quest itself probably is best in integrating themselves into Dell – and potential future acquisitions into the Dell software division.

From our perspective, this acquisition is an important, strategic, and valid move of Dell and it is of little risk for existing Quest Software customers – on the contrary, we expect that Quest will be able to grow faster than before and that there is a good chance of Quest as part of Dell making its way towards a strategic software vendor for larger customers.


Quest acquires Bitkoo – another step for Quest to play with the big boys

19.12.2011 by Martin Kuppinger

During the past few years, Quest has acquired several other IAM vendors: Völcker Informatik (Provisioning and Access Governance), Symlabs (Virtual Directory Services), Vintela (Linux/UNIX Authentication and Integration), and e-DMZ (Privileged User/Account Management) are just some examples of this shopping spree. The newest addition to the Quest portfolio is Bitkoo, a vendor in the  Dynamic Authorization Management space (http://jacksonshaw.blogspot.com/2011/12/quest-acquires-bitkoo-and-dives-into.html).

This acquisition comes as no surprise given that Dynamic Authorization Management is one of the most interesting amongst the emerging segments within the IAM market. Dynamic Authorization Management is about externalizing authorization decisions from single applications and performing them against centralized backend systems, based on centralized rules. Instead of hard-coding security into applications and instead of having to maintain authorization rules in a lot of different applications, Dynamic Authorization Management systems build the backend for such decisions.

Dynamic Authorization Management thus is a core piece of identity and security services and “Application Security Infrastructures”, i.e. the set of services applications rely on when externalizing identity and security. Such services include administration (for example using central directory services), authentication (best based on versatile, context-/risk-based authentication), authorization (Dynamic Authorization Management), and auditing/alerting. The latter is sort of the missing piece, and in that area there is a lack of standards. But that is a topic I’ll cover in another post.

So Quest has acquired Bitkoo. That is not surprising given that Bitkoo fits well into the Windows-centric strategy of Quest. It adds to the portfolio, making Quest one of the vendors with a comprehensive portfolio of IAM solutions. Quest is, from the breadth of its portfolio, playing in the same league as the well-known big vendors in that space like CA, IBM, and Oracle (which, by the way, all have something to offer around Dynamic Authorization Management). Quest has shown a clear strategy in acquiring other vendors over the past years. Now it’s up to Quest to tell this message to the world, proving that they are more than the corner store selling a mish-mosh of tools for administrators. Quest has another portfolio now – and that makes them a really interesting competitor in that market.

This acquisition will most likely also increase the attention on Axiomatics, the most prominent specialized vendor left in the market of Dynamic Authorization Management. Axiomatics is on one hand the independent alternative – and on the other hand the obvious acquisition target number one now that Bitkoo is part of Quest.


Microsoft acquires BHOLD technology assets

23.09.2011 by Martin Kuppinger

Today Microsoft announced that they have acquired technology assets from BHOLD, a dutch vendor of Access Governance technology. Microsoft thus now owns technology which has been missing in their IAM portfolio until now. Microsoft thus enters the Access Governance market. Whether that will happen through enhancements of their existing FIM 2010 product or by adding another product based on the BHOLD technology hasn’t been announced yet. Anyhow, the deal will change the Access Governance market, particularly regarding the offerings which are targeted to complement Microsoft FIM.

KuppingerCole will follow up on this news and provide further information as soon as it is available. Overall, this acquisitions proves that Microsoft continues investing in the broader IAM space and thus rates this market segment as important to their customers. For existing BHOLD customers, the acquisition provides new opportunities given that they are working with a much bigger vendor now. However, the impact on existing customers can be rated first when the Microsoft roadmap is unveiled. In general we recommend existing BHOLD customers to stay calm until more information is available. For customers investing or planning to invest into FIM 2010, the acquisition is definitely good news because it means that FIM will grow beyond the somewhat technical approach into a more business-oriented solution over time. However, without the roadmap being unveiled it is hard to predict when Microsoft customers really will benefit.


Critical success factors for IAM projects

13.07.2011 by Martin Kuppinger

This is sort of a “back to the roots” post, but for some good reason. I’ve done several advisories and customer calls recently, and in some of them it became obviuos that companies tend to miss some of the critical success factors for IAM (Identity and Access Management). Some of the projects are still too technology-focused. So I’ve put together some key success factors for IAM projects. These are not that technical, so you won’t read things like “support the cloud”, because that should just be a result of the requirements analysis.

Requirements: Understand the requirements of Business and IT – of both! And look at what might become requirements soon, so the obvious trends (like Cloud Computing, like the increasing regulatory compliance pressure even in not-that-heavily regulated industries). Knowing the requirements helps in defining the right architecture and in slicing the big elephant of IAM into smaller pieces, e.g. projects you can handle successfully.

Architecture: IAM is more than only provisioning, even while provisioning still is an important element. But oeverall, architectures are increasingly modular, providing more flexibility, better integration with other pieces of IT, and the ability to serve new requirements quickly when needed. So, look at the architectural options you have today and don’t focus on the classical architectures only.

Context: IAM is one element of IT, and one piece of your Information Security framework. It has to interface with Service Management and with other Information Security technologies, as well as with the entire GRC (Governance, Risk Management, Compliance) stack. So don’t look at IAM without understanding how it fits into the big picture.

Policies, Processes, Roles: Does your organization have well-defined policies for IAM? Does it have well-defined processes? And how about business roles, defined by the business? If any of these elements is missing, important input for your IAM deployment is missing. The policies define what you have to do and what to do first, the processes are about your implementation of provisioning and Access Governance (and more) – not even to speak about roles. The good news is that businesses better understand the need for these and are more willing to actively work on these topics then some years before.

Team: For sure it is always about having the right people – the ones who understand technology, the ones who understand business, and the ones who connect both sides.

Service focus: Last but not least it is about having a service focus. IAM is one service IT provides, as part of Information Security. It has to be user-centric, focusing on the services the users (from business and IT) require. That includes integration points to your service management environment.

You might define other ones – but these are the ones I find most important from my experience.


Calendra is back – at least sort of

22.06.2011 by Martin Kuppinger

Do you remember Calendra? The vendor which was acquired by BMC many years ago? At least many existing and remaining customers require Calendra. And some of them really miss the company.

What made Calendra popular was their tool which allowed to quickly building applications to deal with information held in directories. That approach was different to provisioning, different to meta directories, and it was not just hard coding everything. Being a specialized IDE for database environment, it allows customer to quickly build directory-based applications for example to manage employee data or to implement specific approaches for delegated administrators.

Even while some few vendors try to fill the gap, there appears still to be sort of such a gap. But there is more than a silver stream at the horizon. The German company ITConcepts, a BMC partner (amongst others), has acquired the Calendra technology and is re-launching it. The product will be named Cognitum. The first version, available now, is more or less a rebranded version of the existing Calendra product. ITConcepts plans to quickly release an updated version with support for newer versions of Java stacks and some other maintenance, before moving forward with functional enhancements.

The good news for existing Calendra customers today is: Someone is working actively on that product again and provides support. And ITConcepts has a defined roadmap which looks realistic and doesn’t promise too much. However, given that ITConcepts has been a system integrator only until now, it will be interesting to observe how they execute in the software business. In any case, it is worth for Calendra customers to have a look at this offer. And chances are good that the gap in the overall IAM landscape which has been sort of left when Calendra was acquired by BMC will be filled again.


Services
© 2014 Martin Kuppinger, KuppingerCole