In these days the industry talks a lot about IT GRC, Risk Management, Access Governance, Identity for the Cloud, and so on. However, we should keep in mind that the vast majority of organizations still have to do a lot of homework around basic Identity and Access Management.  And, even more: That’s the foundation for many of the other things like Access Governance, because it’s not only about auditing but as well about managing (and, honestly, it’s much more about managing and enforcing preventive controls than of auditing in a reactive way, isn’t it?).

Thus, you shouldn’t ignore Identity Provisioning, Virtual Directory Services (still one of the most valuable technologies in IAM and one of the best hidden secrets at the same time), or Enterprise SSO. You will find a lot of Podcasts of Webinar recordings at our website. Thus, I won’t analyze everything around that but focus on some few points why we still should consider the core IAM market as relevant:

• Provisioning tools have matured over the past years – and they support many of the “new” features like access certification frequently. Thus you can do a lot of things relying only on these “basic” tools instead of adding too much on top of them. Not all, but a lot. That has to be carefully analyzed but in several cases, one tool definitely is the better solution than multiple tools. That’s like in real life: There are advantages for the multi-tool, there are advantages for the specialized tools.
• If you look at the market, than there are relatively few really big organizations. Most of them have some IAM. But, correctly, most of them have more than one IAM approach and implementation. Thus, they have integration issues which is an important market, with many architectural options to solve this. And, beyond that, in these large organizations you frequently can observe a tendendy to implement some point solutions in some areas – for example an additional provisioning tool for some specific systems. Given that, there is still a lot of work to do and a lot of potential, for example in providing the provisioning tool which integrates other provisioning tools.
• The medium-sized businesses frequently don’t have much provisioning and other IAM solutions in place. Thus, there is a huge market opportunity, as well for on-premise as cloud-based solutions.
• Some implementations might be worth a review with respect to today’s requirements and solutions. There is always room for updates and even replacements.

The reason why there is somewhat fewer attention of the marketing departments of vendors on that segment (at list when looking at some vendors which have not only provisioning) is simple: Provisioning is hard to sell. E-SSO is easier to sell. Access Governance might be even easier than that. Thus, looking at the low-hanging fruits instead of focusing on products with a long sales-cycle and a lot of competition, appears to be logical from a sales perspective. However, that leaves a large portion of the market blank and it doesn’t fill the pipeline sufficiently for a time where the low-hanging fruits might have been picked.

It’s not up to me to judge about vendor marketing and sales strategies. But it is interesting to observe what is happening in the market. And that might be one reason for the relative success of several of the smaller vendors in many markets (by the way: some large vendors are very active in the “classical” segments – innovative, focused,…).

From a customer perspective, the buzz and fuzz around the new topics might divert the focus from the things which have to be done as a foundation, on which other things can be built. Thus customers always should keep in mind that they can’t be successful without doing their homework. And that includes to provide a solid foundation for provisioning – with an adequate architecture for the customer’s requirements. I’ll blog about these architectures soon but you might as well look here - I’ve touched the topic in this webinar.

Don’t miss the European Identity Conference 2010 and its Best Practice presentations to learn more about this. See you in Munich, May 4th to 7th.

German vendor Beta Systems, one of the well established vendors in the core IAM market, e.g. provisioning (notably, they provide other solutions as well), has recently unveiled the new version of its provisioning product, now called SAM Enterprise Identity Manager – in contrast to its former name SAM Jupiter. That highlights that this product is part of a specific market segment, the identity provisioning products – most of them are named “Identity Manager”. It as well shows that Beta Systems understands this release as a really major release.

And, in fact, it is. Amongst the broad set of new features, there are two really important ones:

• Beta Systems has finally managed to merge the two releases of its product. Until now, there has been a host-based and a Windows/UNIX based version. The new version runs on all platforms and has, in addition, broader platform support as well for databases and other infrastructure components. Thus, maintenance and development right now is easier for Beta Systems. And, furthermore, customers can now much easier pick their platform of choice.
• Beta Systems has added multi-tenancy capabilities, being amongst the first provisioning vendors to do that. That is not only interesting to (external and internal) service providers but as well to large organizations in industries with strong compliance regulations which for example have to enforce different segments of IT administration for different parts of the organization – like sometimes in banks.

I especially like the multi-tenancy approach because that will become a mandatory feature in provisioning tools over time.

These days I have been talking with Siemens on enhancements for their DirX Identity product, a provisioning tool (and, by the way, a pretty good one). Amongst the new features is some support for Privileged Account Management (PAM). That’s interesting. I’ve blogged some time ago about the possibility of provisioning vendors starting to acquire PAM vendors and adding these capabilities to their provisioning products.

Siemens didn’t acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these passwords after use. This is combined with strong authentication, using smartcards. In fact it is sort of a mix between product (resetting passwords and all that stuff) and project (adding strong authentication using other products). But finally they became a pioneer in integrating PAM with provisioning.

There is no doubt that the leading PAM suites like the ones provided by Cyber-Ark or Lieberman Software provide a much broader feature set. However, integrating that with provisioning tools, identity lifecycles, and existing (self) service interfaces is a valid approach. I expect other vendors to follow, adding PAM support as well. However, the specialists will provide a more sophisticated solution at least for a pretty long period of time (unless they become acquired…).

But what Siemens has done proves my thesis on PAM moving into provisioning, servicing the specific requirements of customers. And it proves that PAM is moving from a niche topic towards a mainstream technology in the broader IAM market.

Regarding the term PAM (or PIM or PUM): I prefer Privileged Account Management because it is about accounts which are associated to a person and their digital identity. The user is sometimes associated with an account, sometimes more understood as a construct in between, e.g. a user-ID with some accounts associated and sometimes the situation that some person with one digital identity could have multiple user-IDs. For what is managed, PAM seems to be the most appropriate term, from my point of view.

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that they have some other interesting solutions in the GRC space, especially for analytics and dashboards, IBM definitely improves its positioning in that emerging market segment.

So the GRC stuff is one of the new areas in TIM 5.1. That’s nice, but we have seen that before. Many vendors have either added such features to their products or have released separate GRC platforms – with advantages and disadvantages in both approaches. IBM in fact has tied in that area.

Much more interesting is the addition of PIM capabilities to a provisioning solution. Even while not every aspect of PIM will be solved by what TIM 5.1 delivers, that fulfills my expectations of PIM becoming more and more part of provisioning tools – which is just logical, given that it is about managing accounts. IBM is the first vendor in the market who delivers an integration in that area. Novell might become a close follower given that they have recently acquired a PIM vendor.

With these additions, IBM would have gould reasons to name the release of TIM as version 6.0 instead of 5.1. But understanding the reasons for version numbers is definitely amongst the hardest things in IT.

However, IBM shows that they are intensively acting to improve their positioning in the IAM and GRC market space. Being one of the first big companies which had entered that market, there hasn’t been that much evolution for some time. But now IBM is definitely back and moving forward significantly, acting as a strong competitor for the other players in the market. And once they deliver on full GRC solutions, beyond IAM-GRC and access controls (and IBM is amongst the ones who might deliver on that given their strengths in areas like SIEM, ITSM, and others…) IBM might even further improve its positioning.

There is no doubt that the attestation capabilities which can be found in many of today’s IAM-GRC platforms (e.g. GRC platforms with focus on Identity and especially Access Management aspects) are important and helpful. Attestation provides a capability to go through existing entitlements and, in some cases, changes and confirm or revoke them. But: Attestation is mainly sort of a detective approach. There are two other aspects which have to be addressed as well:

• Preemptive controls which avoid that there is any access right granted which later on has to be revoked
• Controls in the sense of really managing and not just auditing

That is where active Authorization Management comes into play. In my definition, Authorization Management defines the approaches to centrally manage authorizations in underlying systems. In best case it ends up with the management of specific entitlements (that would really be “Entitlement Management”), in most cases it is only the capability to map users (using roles and so on) to system-level roles or groups or profiles. Better than nothing… In fact, most GRC solutions are limited because the provisioning solutions used are limited as well. There are only few products which can granulary manage entitlements at least for a few target systems.

But at least using higher level policies (and thus rules) and business roles to manage authorizations, e.g. in most cases controlling provisioning systems, is a huge step forward – even more if the GRC system can use the reconciliation capabilities of provisioning solutions to detect issues on the fly and not some weeks or months later when next time going through the attestation process (that might be too late – the money might be at some strange caribeean island at that point of time).

Anyhow, the big gap of provisioning still remains. Provisioning (or GRC) are in control down to the assignment of users to groups/roles/profiles in the target systems. But what these group, roles or profiles are allowed to do is managed by someone else – the operator/administrator of these target systems. You should always keep that in mind, because it is the reason why we will need not only one level of attestation but a multi-layered attestation, starting with the sysadmin who confirms that groups, roles, or profiles still have correct access rights at that level.

There is another interesting aspect of Authorization Management: Dynamic Authorization Management. Most of today’s approaches are static, e.g. they use provisioning tools or own interfaces to statically change mappings of users to groups, profiles, or roles in target systems. But there are many business rules which can’t be enforced statically. Someone might be allowed to do things up to a defined limit. Some data – for example some financial reports – have access restrictions during a quiet period. And so on. That requires authorization engines which are used as part of an externalization strategy (externalizing authentication, authorization, auditing and so on from applications) which provide the results of a dynamic authorization decision, according to defined rules, on the fly.

Today, in most cases companies rely on a single-layer attestation – which isn’t sufficient. They have to move to multi-layered attestation, to static authorization management and to dynamic authorization management. And vendors will have to enhance their products significantly to support every aspect. There is still a long way to go for IAM-GRC vendors, not even talking about extending GRC platforms to SIEM, BSM, and other aspects.

My colleague Felix Gaehtgens recently has blogged about his discussion with Tom Bishop, CTO at BMC, about the BMC strategy for IAM. His findings are very consistent with the blog of Tom Bishop which was published some weeks later and appears to be some indirect response to Felix.

It is obvious that many BMC customers are insecure about BMC’s strategy for IAM. There have been several changes, as well in BMC’s organization as in the way BMC is adressing this market. BMC has moved the development of the IAM functionality to India, where they are developing as well other major parts of their products. Some people from the IAM team – as well from the product as the sales/marketing side – in North America and EMEA have left BMC, including Jeff Bohren, one of the guys behind SPML. Even while BMC states that there are more people involved in IAM activities than before, there are some still some open questions left. Read the rest of this entry »

Novell has finally released its Identity Manager 3.6 with integrated role management. There are two points of view on this new feature:
In comparison to the integrated role management functionalities of other provisioning solutions.

• In comparison to the role management products out of the greater GRC market segment, including the business role specialists, GRC apps like SAP GRC Access Control or Identity Risk Management solutions.
• Both are valid approaches, like I’ve written in my other post from today. But it has to be kept in mind that you can’t solve every requirement with one solution – there are some which are best tackled with integrated role management and others which require a solution on top.

The implementation of Novell is pretty good in several areas, but there are also some missing elements. To start with the shortcomings: For example attestation isn’t really solved (by the way attestation is something which requires multiple levels), there are only a few standard reports and defining new approval workflows and making other more fundamental changes requires the not-that-easy-to-use Designer for Identity Manager. Designer for Identity Manager definitely is a great tool, but you really need to invest some time to understand the tool and its concepts.

The positive things are a flexible role model, integrated SoD rules (Segregation of Duties), a flexible concept with roles, policies and workflows which can be easily combined (given that you use the standard workflows or have managed to create new ones with the Designer), and an improved self-service interface, the user application which now is much more mature than for example in Identity Manager 3.0-days.

Thus, Novell has, with its first release, created a role management module which is good while there are better solutions in some (few) other provisioning products. But there is still a lot of work to do for Novell to become leading-edge in the provisioning quadrant. Compared to the GRC tools the dependency to a technical provisioning tool, even with the pretty easy user application, will always be a hurdle. Thus, Novell is competitive in the provisioning segment – but you still have to consider whether that is the right place for your role management (like with any other provisioning product).

Today, provisioning is the core element of Identity Management. Most of the products which are usually named “Identity Manager” are built around provisioning, with more or less additional features. But will that be still the case some three years from now? There are several trends which will influence provisioning significantly. The most important ones are

• Reuse of existing IT infrastructure components
• Business Role Management
• Enterprise Information Management

These trends will influence the market. One important area is the reuse of existing IT infrastructure components. There are clear advantages of using a standard workflow and business process management instead of proprietary implementations in provisioning products. For example processes can be better managed, integrated with existing supply chains and easily transferred to other systems.

Read the rest of this entry »

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality – and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

1. The increasing complexity: Thus it really make sense to create more and more complex products?
2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed – and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.