Today, Quest announced that they will acquire the German Völcker Informatik AG with its ActiveEntry product, a leading-edge identity provisioning solutions with some integrated Access Governance capabilities. From my perspective, that is a very interesting acquisition, which brings Quest into a leading position in the overall IAM market. Until now, Quest has been a provider of several point solutions around IAM issues. They had some provisioning capabilities in their ActiveRoles Server before – but it hasn’t been the technical leading-edge product but more an add-on for some provisioning for Active Directory and a little beyond.

Right now, they are one of the vendors in the market which have solutions in most of the areas of IAM. They have one of the (from a technology perspective) definitely leading-edge products in the markets for identity provisioning. And they have a lot of complementary solutions. Beyond that, ActiveEntry fits very well into the Quest portfolio by supporting Active Directory environments at a high level but going well beyond that. Thus, it is sort of the perfect fit.

Quest right now is a full competitor of the big and established ones in the market like Oracle, IBM, Novell, and the others. It is in an interesting competitive position regarding Microsoft, Omada and related vendors. And, if you look at the number of people working around IAM, Quest is also from that perspective one of the vendors with the biggest potential in the market. With other words: This acquisition will heavily affect the IAM market and Quest will be one of the vendors to really take into account now.

There are several reports on Quest and Völcker from KuppingerCole available at www.kuppingercole.com/reports. Have a look at them (or ask us for advice…).

It became pretty quiet around directory services during the last years. When I remember the discussions back some 10, 15 or 20 years around NDS versus LAN Manager (and the underlying domain approach) or Active Directory when it came to market, and even the discussions which came up in the early days of OpenLDAP, it is pretty quiet nowadays. Are all the problems solved? Are the right directories in place? Are the best solutions chosen when something changes?

When talking with end user organizations it becomes obvious that we are far away from that state. There are implementations of different directories, and most of them work well for their specific use case. But once it comes to optimization, the situation changes. What to put in the Active Directory, what not? How to optimize the way applications are dealing with directories? How to best build a corporate directory or a meta directory (the directory as data store, not the meta directory service as technology for synchronization!)? How to interface directories for specific use cases and how to best retrieve information?

There are many aspects to discuss and to understand to end up with an optimized “directory infrastructure”. First of all, it is important to understand which directories you have and how they are used – usually there are far more directories out there than you’d expect. And I’m not only talking about the Active Directory, eDirectory and all the LDAP servers, but as well about “de facto” directories in the form of tables in databases and so on. I’m talking about anything which acts as a directory. That includes the application directories, which might be hundreds of small directories. And they sometimes contain sensitive information like privacy-relevant data. Besides this, they frequently have somewhat redundant data. Based on this analysis, you can drill down and identify which attributes have to flow between which directories in which use cases.

The latter is more about really optimizing your provisioning. The analysis is, on the other hand, as well a good foundation for optimizing your directory infrastructure. Where can you avoid redundancy?

Based on such an overview, you can think about some other aspects:

• Which central directories do you need for which use cases?
• How to optimize application access on directories?
• Where do you need specific technology for these directories beyond standard LDAP?

There is always a need for some more or less central directories. The Active Directory or eDirectory are examples, used for the primary authentication of internal users and for many infrastructure services – but they can’t do anything. There are Corporate Directories for centralized access to corporate information. There are more technical meta directories as the “source of truth” about distributed information.

We have to think about optimizing the application directories. One or few centralized directories together with Virtual Directory Services which are offered for example by Radiant Logic, Oracle, and Symlabs are an interesting option do build such a centralized yet flexible infrastructure, with the Virtual Directory Service as interface layer.

And we have to look at specific use cases where we need specialized technology. There are some innovative vendors out there. UnboundID for high scalable environments, where others like Oracle, Novell, Siemens, and so on are active as well. eNitiatives with their ViewDS services for strong querying capabilities and the ability to easily build interfaces in a “yellow page” style to these directories.

My experience is, that there is still a lot of need to think about directory services – and there is a lot room for improvement in most IT environments. What is your view on that topic?

I’ve done several webinars around changing architectures for Identity Provisioning and Access Governance during the last few months. And new architectural approaches for Provisioning have been an important topic at the EIC for years. I’ve also written a report on Access Governance architectures recently. That is no surprise. Provisioning has to integrate with IT Service Management in some way. It has to support the standard systems where automation is key as well as other systems which either don’t support automation interfaces (unfortunately there are several apps out there which don’t provide integration points, including several important healthcare apps) or where automation is too expensive. Thus, it is not only about connectors. It is about a flexible support for different approaches, from manual workflows to full bi-directional automation.

For the core systems, it definitely makes sense to automate. Many transactions, high risks – these are reasons to invest in direct connectors. But there are many other systems out there which need to be connected as well. Even while there aren’t that many standard interfaces (Web Services, Command Line Interfaces, JDBC/ODBC, LDAP,…) which are commonly used to interact with target systems, the customization and integration is costly anyhow. “Connector fabrics” and other approaches help, but typically organizations end up with some systems which are tightly connected and others which aren’t.

There are many approaches to integrate these systems. There might be specific provisioning tools (FIM/ILM, Quest ARS, and others for Active Directory; SAP NW IDM for SAP;…) in place which can be integrated with other provisioning systems. There might be existing processes based on SRM (Service Request Management) tools. There might be the need for additional manual workflows and some access governance to track whether the manual actions have been performed or not.

With other words: Flexibility is key. Flexibility for architectures, where Identity Provisioning and Access Governance tools are just one element – there might be more than one Provisioning tool, there might be SRM, existing workflows, the integration of Provisioning and Access Governance, interfaces to Enterprise Portals, and so on. And flexibility for connections to systems, by not only relying on automation.

Interestingly, I had some briefings in the last few weeks where vendors – like Courion and Aveksa – highlighted new capabilities which are exactly targeted on this. There are other vendors which started with that before. However, it seems to become a major trend right now – open, flexible architectures for Provisioning and Access Governance. For customers, that means that they have to think a little more about the adequate architecture. On the other hand, that might save them significantly more money by choosing an approach which really fits to what they have.

Hope to see you at EIC 2010 in Munich, May 4th to 7th, 2010.

In these days the industry talks a lot about IT GRC, Risk Management, Access Governance, Identity for the Cloud, and so on. However, we should keep in mind that the vast majority of organizations still have to do a lot of homework around basic Identity and Access Management.  And, even more: That’s the foundation for many of the other things like Access Governance, because it’s not only about auditing but as well about managing (and, honestly, it’s much more about managing and enforcing preventive controls than of auditing in a reactive way, isn’t it?).

Thus, you shouldn’t ignore Identity Provisioning, Virtual Directory Services (still one of the most valuable technologies in IAM and one of the best hidden secrets at the same time), or Enterprise SSO. You will find a lot of Podcasts of Webinar recordings at our website. Thus, I won’t analyze everything around that but focus on some few points why we still should consider the core IAM market as relevant:

• Provisioning tools have matured over the past years – and they support many of the “new” features like access certification frequently. Thus you can do a lot of things relying only on these “basic” tools instead of adding too much on top of them. Not all, but a lot. That has to be carefully analyzed but in several cases, one tool definitely is the better solution than multiple tools. That’s like in real life: There are advantages for the multi-tool, there are advantages for the specialized tools.
• If you look at the market, than there are relatively few really big organizations. Most of them have some IAM. But, correctly, most of them have more than one IAM approach and implementation. Thus, they have integration issues which is an important market, with many architectural options to solve this. And, beyond that, in these large organizations you frequently can observe a tendendy to implement some point solutions in some areas – for example an additional provisioning tool for some specific systems. Given that, there is still a lot of work to do and a lot of potential, for example in providing the provisioning tool which integrates other provisioning tools.
• The medium-sized businesses frequently don’t have much provisioning and other IAM solutions in place. Thus, there is a huge market opportunity, as well for on-premise as cloud-based solutions.
• Some implementations might be worth a review with respect to today’s requirements and solutions. There is always room for updates and even replacements.

The reason why there is somewhat fewer attention of the marketing departments of vendors on that segment (at list when looking at some vendors which have not only provisioning) is simple: Provisioning is hard to sell. E-SSO is easier to sell. Access Governance might be even easier than that. Thus, looking at the low-hanging fruits instead of focusing on products with a long sales-cycle and a lot of competition, appears to be logical from a sales perspective. However, that leaves a large portion of the market blank and it doesn’t fill the pipeline sufficiently for a time where the low-hanging fruits might have been picked.

It’s not up to me to judge about vendor marketing and sales strategies. But it is interesting to observe what is happening in the market. And that might be one reason for the relative success of several of the smaller vendors in many markets (by the way: some large vendors are very active in the “classical” segments – innovative, focused,…).

From a customer perspective, the buzz and fuzz around the new topics might divert the focus from the things which have to be done as a foundation, on which other things can be built. Thus customers always should keep in mind that they can’t be successful without doing their homework. And that includes to provide a solid foundation for provisioning – with an adequate architecture for the customer’s requirements. I’ll blog about these architectures soon but you might as well look here - I’ve touched the topic in this webinar.

Don’t miss the European Identity Conference 2010 and its Best Practice presentations to learn more about this. See you in Munich, May 4th to 7th.

German vendor Beta Systems, one of the well established vendors in the core IAM market, e.g. provisioning (notably, they provide other solutions as well), has recently unveiled the new version of its provisioning product, now called SAM Enterprise Identity Manager – in contrast to its former name SAM Jupiter. That highlights that this product is part of a specific market segment, the identity provisioning products – most of them are named “Identity Manager”. It as well shows that Beta Systems understands this release as a really major release.

And, in fact, it is. Amongst the broad set of new features, there are two really important ones:

• Beta Systems has finally managed to merge the two releases of its product. Until now, there has been a host-based and a Windows/UNIX based version. The new version runs on all platforms and has, in addition, broader platform support as well for databases and other infrastructure components. Thus, maintenance and development right now is easier for Beta Systems. And, furthermore, customers can now much easier pick their platform of choice.
• Beta Systems has added multi-tenancy capabilities, being amongst the first provisioning vendors to do that. That is not only interesting to (external and internal) service providers but as well to large organizations in industries with strong compliance regulations which for example have to enforce different segments of IT administration for different parts of the organization – like sometimes in banks.

I especially like the multi-tenancy approach because that will become a mandatory feature in provisioning tools over time.

These days I have been talking with Siemens on enhancements for their DirX Identity product, a provisioning tool (and, by the way, a pretty good one). Amongst the new features is some support for Privileged Account Management (PAM). That’s interesting. I’ve blogged some time ago about the possibility of provisioning vendors starting to acquire PAM vendors and adding these capabilities to their provisioning products.

Siemens didn’t acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these passwords after use. This is combined with strong authentication, using smartcards. In fact it is sort of a mix between product (resetting passwords and all that stuff) and project (adding strong authentication using other products). But finally they became a pioneer in integrating PAM with provisioning.

There is no doubt that the leading PAM suites like the ones provided by Cyber-Ark or Lieberman Software provide a much broader feature set. However, integrating that with provisioning tools, identity lifecycles, and existing (self) service interfaces is a valid approach. I expect other vendors to follow, adding PAM support as well. However, the specialists will provide a more sophisticated solution at least for a pretty long period of time (unless they become acquired…).

But what Siemens has done proves my thesis on PAM moving into provisioning, servicing the specific requirements of customers. And it proves that PAM is moving from a niche topic towards a mainstream technology in the broader IAM market.

Regarding the term PAM (or PIM or PUM): I prefer Privileged Account Management because it is about accounts which are associated to a person and their digital identity. The user is sometimes associated with an account, sometimes more understood as a construct in between, e.g. a user-ID with some accounts associated and sometimes the situation that some person with one digital identity could have multiple user-IDs. For what is managed, PAM seems to be the most appropriate term, from my point of view.

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that they have some other interesting solutions in the GRC space, especially for analytics and dashboards, IBM definitely improves its positioning in that emerging market segment.

So the GRC stuff is one of the new areas in TIM 5.1. That’s nice, but we have seen that before. Many vendors have either added such features to their products or have released separate GRC platforms – with advantages and disadvantages in both approaches. IBM in fact has tied in that area.

Much more interesting is the addition of PIM capabilities to a provisioning solution. Even while not every aspect of PIM will be solved by what TIM 5.1 delivers, that fulfills my expectations of PIM becoming more and more part of provisioning tools – which is just logical, given that it is about managing accounts. IBM is the first vendor in the market who delivers an integration in that area. Novell might become a close follower given that they have recently acquired a PIM vendor.

With these additions, IBM would have gould reasons to name the release of TIM as version 6.0 instead of 5.1. But understanding the reasons for version numbers is definitely amongst the hardest things in IT.

However, IBM shows that they are intensively acting to improve their positioning in the IAM and GRC market space. Being one of the first big companies which had entered that market, there hasn’t been that much evolution for some time. But now IBM is definitely back and moving forward significantly, acting as a strong competitor for the other players in the market. And once they deliver on full GRC solutions, beyond IAM-GRC and access controls (and IBM is amongst the ones who might deliver on that given their strengths in areas like SIEM, ITSM, and others…) IBM might even further improve its positioning.

There is no doubt that the attestation capabilities which can be found in many of today’s IAM-GRC platforms (e.g. GRC platforms with focus on Identity and especially Access Management aspects) are important and helpful. Attestation provides a capability to go through existing entitlements and, in some cases, changes and confirm or revoke them. But: Attestation is mainly sort of a detective approach. There are two other aspects which have to be addressed as well:

• Preemptive controls which avoid that there is any access right granted which later on has to be revoked
• Controls in the sense of really managing and not just auditing

That is where active Authorization Management comes into play. In my definition, Authorization Management defines the approaches to centrally manage authorizations in underlying systems. In best case it ends up with the management of specific entitlements (that would really be “Entitlement Management”), in most cases it is only the capability to map users (using roles and so on) to system-level roles or groups or profiles. Better than nothing… In fact, most GRC solutions are limited because the provisioning solutions used are limited as well. There are only few products which can granulary manage entitlements at least for a few target systems.

But at least using higher level policies (and thus rules) and business roles to manage authorizations, e.g. in most cases controlling provisioning systems, is a huge step forward – even more if the GRC system can use the reconciliation capabilities of provisioning solutions to detect issues on the fly and not some weeks or months later when next time going through the attestation process (that might be too late – the money might be at some strange caribeean island at that point of time).

Anyhow, the big gap of provisioning still remains. Provisioning (or GRC) are in control down to the assignment of users to groups/roles/profiles in the target systems. But what these group, roles or profiles are allowed to do is managed by someone else – the operator/administrator of these target systems. You should always keep that in mind, because it is the reason why we will need not only one level of attestation but a multi-layered attestation, starting with the sysadmin who confirms that groups, roles, or profiles still have correct access rights at that level.

There is another interesting aspect of Authorization Management: Dynamic Authorization Management. Most of today’s approaches are static, e.g. they use provisioning tools or own interfaces to statically change mappings of users to groups, profiles, or roles in target systems. But there are many business rules which can’t be enforced statically. Someone might be allowed to do things up to a defined limit. Some data – for example some financial reports – have access restrictions during a quiet period. And so on. That requires authorization engines which are used as part of an externalization strategy (externalizing authentication, authorization, auditing and so on from applications) which provide the results of a dynamic authorization decision, according to defined rules, on the fly.

Today, in most cases companies rely on a single-layer attestation – which isn’t sufficient. They have to move to multi-layered attestation, to static authorization management and to dynamic authorization management. And vendors will have to enhance their products significantly to support every aspect. There is still a long way to go for IAM-GRC vendors, not even talking about extending GRC platforms to SIEM, BSM, and other aspects.

My colleague Felix Gaehtgens recently has blogged about his discussion with Tom Bishop, CTO at BMC, about the BMC strategy for IAM. His findings are very consistent with the blog of Tom Bishop which was published some weeks later and appears to be some indirect response to Felix.

It is obvious that many BMC customers are insecure about BMC’s strategy for IAM. There have been several changes, as well in BMC’s organization as in the way BMC is adressing this market. BMC has moved the development of the IAM functionality to India, where they are developing as well other major parts of their products. Some people from the IAM team – as well from the product as the sales/marketing side – in North America and EMEA have left BMC, including Jeff Bohren, one of the guys behind SPML. Even while BMC states that there are more people involved in IAM activities than before, there are some still some open questions left. Read the rest of this entry »

Novell has finally released its Identity Manager 3.6 with integrated role management. There are two points of view on this new feature:
In comparison to the integrated role management functionalities of other provisioning solutions.

• In comparison to the role management products out of the greater GRC market segment, including the business role specialists, GRC apps like SAP GRC Access Control or Identity Risk Management solutions.
• Both are valid approaches, like I’ve written in my other post from today. But it has to be kept in mind that you can’t solve every requirement with one solution – there are some which are best tackled with integrated role management and others which require a solution on top.

The implementation of Novell is pretty good in several areas, but there are also some missing elements. To start with the shortcomings: For example attestation isn’t really solved (by the way attestation is something which requires multiple levels), there are only a few standard reports and defining new approval workflows and making other more fundamental changes requires the not-that-easy-to-use Designer for Identity Manager. Designer for Identity Manager definitely is a great tool, but you really need to invest some time to understand the tool and its concepts.

The positive things are a flexible role model, integrated SoD rules (Segregation of Duties), a flexible concept with roles, policies and workflows which can be easily combined (given that you use the standard workflows or have managed to create new ones with the Designer), and an improved self-service interface, the user application which now is much more mature than for example in Identity Manager 3.0-days.

Thus, Novell has, with its first release, created a role management module which is good while there are better solutions in some (few) other provisioning products. But there is still a lot of work to do for Novell to become leading-edge in the provisioning quadrant. Compared to the GRC tools the dependency to a technical provisioning tool, even with the pretty easy user application, will always be a hurdle. Thus, Novell is competitive in the provisioning segment – but you still have to consider whether that is the right place for your role management (like with any other provisioning product).