Another acquisition in the IAM and GRC has been announced that weekend. CA decided to buy Eurekify, a role management specialist with specific strengths in role mining, based in Israel. That adds to the recent acquisitions in that field, like Sun with Vaau or Oracle with Bridgestream. The CA/Eurekify deal is somewhat special because Eurekify has been more focused on pure role management than Vaau or Bridgestream. Thus, there won’t be much overlap to CAs current portfolio.

The acquisition proves that CA is willing to invest in the IAM and GRC markets. There has been some time after the acquistion of Netegrity where we hadn’t heard that much from CA - but with the R12 release of their Identity Manager, with focus on integration of own and acquired technologies, and now the acquisition of Eurekify, CA is definitely back in the game.

From a market perspective, the acquisition is pretty interesting. First of all, the opportunities for other players in the market to become acquired are less than before. On the other hand there are still some few big players which might to invest in role management and GRC specialists.

On the other hand, there are some new options for companies which are strong in role mining - like the swiss IPG AG or the italian Engiweb. Eurekify had many partnerships with Identity Management vendors. I don’t expect other vendors to stay with Eurekify now that it is CA. Thus, some vendors will have to choose new partners in the not that long list of Role Mining and Role Management specialists (or, in the case of Engiweb, vendors that support Role Mining/Management amongst other functionalities).

In our new Roadmap Report Identity Management and GRC 2009, available from Oct 13th 2008, we describe the structured evolution of Identity Management and GRC infrastructures across multiple maturity levels, from basic, administration-focused deployments towards business- and service-oriented implementations.

Within this guideline, I personally think that one of the blocks is particularly interesting. It is about “Identities” (covering the concepts behind and their storage) and moving forward to a business-controlled IAM. What we have in mind there is in fact the integration of Identity Management with the applications which deal with some of the core business objects - like employees, customers, or suppliers.

These objects play a central role within the business applications. And they are identities. Thus, it is obvious that identity management concepts and technologies can provide value in providing a consistent, integrated view on these business objects. From the perspective of business systems, we probably won’t use the term identity management. But we will use it.

In the light of such an approach, it becomes clear as well why vendors like SAP, Oracle, and Microsoft are heavily investing in identity management. In approaches where we business objects are managed and used in service-oriented applications, the consistency of these objects is a core requirement. The vendors which provide application infrastructures and business applications thus require identity management technologies. You can, for example, expect NetWeaver Identity Management thus to play a vital role in SAP’s Enterprise SOA approach, with a much tighter integration than you might expect today.

That integration is consistent with the overall tendency of IAM moving from an administrative technology to the business-level, with the application integration and business support mentioned as well as with GRC (and, in consequence, business roles and rules) as control infrastructure above today’s more or less technical provisioning solutions.