Looks like IAM and GRC is all about roles, doesn´t it? Well, for the sake of simplicity it does. Simplicity you ask, having had trouble defining these in a year-long struggle and ending up with worthless collections of access rights and user profiles due to the latest merger and the finance -crisis consolidation?

You have pretty good company as many organizations face these problems. A few years back when I worked for CA, a good portion of the IAM projects also included considerable amounts of work to be done on roles. VAAU, at these times the preferred role-mining specialist in the market, helped a lot getting this work done, especially in the early phases of the projects.  As companies are comparable to living organisms, they tend to change over time (sometimes rapdily), thus affecting the roles and profiles user might be mapped to.

Early role-mining only provided insight to the current situation the snapshot or analysis was made, leading to frustration and incorrect roles once the IAM system was about to be delpoyed. Vendors like former VAAU (now with SUN) and the recently acquired Eurekify (now with CA) learned their lessons, providing consistency checking and automated role-monitoring as new key-features. This evolved the early role-mining tools from providing fuzzy “best-before” role data into helpful GRC supporting tools, that constantly check if former analysis is still valid. One example: if members of a certain group of user sharing the same role get the similar exception or add-on to their access rights, Eurekify would suggest to make this exception a part of the role. This helps to manage expceptions before they become a labyrinth while making the life of admins and auditors easier.

Speaking of “easier”… during my recent briefing with a former Eurekify EMEA VP and now CA employee, the question came up on how CA will leverage the power of Eurekifys tools in their customer base. I was told that both existing IAM customers – regardless of which vendor they chose – will remain to be primary focus of the team, as the above mentioned role-management and role-auditing capabilities are available for all major IAM products in the market. I was pleased to hear that CA will continue to sell Eurekify technology without limitations – and was even more happy to hear that integration will extend the available webservice interfaces. 

Keeping this open mind and easy way to dsicover, integrate and manage will definitly be advantageous to CA partner community, providing audit, role-mining and compliance services with the former Eurekify tools.
I am looking forward to what happens next regarding the role-management tools and offerings – and also to what and when CA merges the Eurekify capabilities into their GRC and IAM tools!

The recent acquisition of EUREKIFY by CA does not come as a surprise, it was rather expected to happen sooner or later after the OEM/reseller agreement had been published. CA took what was left for grabs after SUN had (more to our surprise) settled an agreement with VAAU, who also had been in close cooperation with CA (and others) before. The consolidation regarding the role mining and role management market is in full progress and it is to be expected that each large IAM player in the market will cooperate if not acquire one of the smaller role specialists left in the field. As from the side of Eurekify, overall good/euphoric feedback on the deal was received. I tried to contact Dave Hansen to get his personal quote on the deal, but yet my sources at CA have not been able to push through to him. I, personally, think that this acquisition is good for CA and will strengthen their position, especially during the presales phase. Role mining and analysis as a service has become more important to assess the IAM-readiness of customers, allthough the value-add derived from an in-depth analysis is far bigger  than just acting as a bait to prospect IAM customers. I expect CA to position and integrate their newest toy as a core component in their GRC/IAM offering, as role modeling, provisioning, audit and the like are interwoven with each other and need to be dealt with in a joint effort.

Good luck! I am looking forward to a personal dialogue with IAM guys at CA!

Joining a special “reality” session was the best choice I made while attending IIW. Not only was this a wonderful opportunity to compare our KuppingerCole approach to providing insight and second opinion on the exact topic, but getting a deeper understanding of how to analyse and structure the whole process from the point of the Identity Architect. Most important was to learn about the projection and “5 year plan”, especially regarding assertions, federation and -naturally (for me) smartcards and certificates. Great to learn also, that usage of TPM (Trusted Platform Modules for Trusted Computing) as a secure storage for softtokens and certificates is gaining momentum (years after manufacturers started integrating them int PCs and laptops). I will definitly check back with the “anonymous” presenter during the next years to see his strategy evolve, especially as my recent learnings on biometric authentication schemes, SSO and strong auth in general were my pay-back to the architect.

To my special friends at Infineon: hey, your products are actually in need on this side of the ocean and there IS business to be made with TPMs!

Despite the fact that I clearly see CA´s recent acquisition of IDfocus LLC and their ACE technology as a plus to the whole offering of IAM technologies from CA, for me it is still sort of a “back to the roots”.

CA has had a (rather bad) history of acquiring companies whose technology would make a nice fit to the portfolio, but then coming out sub-par after 6-18 months. This was either due to human failure, aka not being able to keep the talented people or due to underestimating the market traction one could generate from a certain technology. From my point of view, Netegritys´ SiteMinder was one of those. Nice “solution” back then, but it was mistaken as a “product” by CA, and their sales failed to deliver the expected projects due to that.  

But there had been changes to the recently re-heated discussion on this “buy-and-let-die” strategy, a senior database vendor executive was blamed for coining.  The Niku Clarity solution prospered since the acquisition. Also, the Network & Systems Management tools were integrated and continue to excel (even though some brain-drain happened after those had been acquired). And,  last but not least, CA was also able to deliver first glimpses of the “innovate from within” strategie (see recently launched GRC products), Al Nugent as CTO had introduced a while ago.

So, why going back to the old habit? Well, we all know they are to resist! And in the case of an ever expanding field of IAM and GRC, one can only innovate so much from the inside with decreasing numbers of talented developers being available…

From my point of view, CA does the right thing in going back to acquisition, IF they keep innovating from the inside. Furthermore, they need to speed up on integration of acquired technology. I was quite happy to see their Identity Manager product integration finished with the recent release. But it took them more than 2 years – too long for a fast moving market like IAM & GRC.

I am looking forward to see how CA is dealing  with this, as it for sure could strengthen their position as IAM leaders, if played well.

One of our jobs as analysts to provide insight and vision on what an when things are going to change and how it is going to happen. Sometimes though, my fellow analysts are far off with their predictions, sometimes one just underestimates the market pull or some impressive marketing stunt one of the vendors pulls to push the cause. Other times, for example with PKI, the real hype never materializes – but nevertheless the technology silently grows and matures and never really vanishes.

Lately, I was doing some work with Entrust and they were curious to hear that I had been tlaking to some companies who had actually come up with plans of deploying a PKI in near future. No kidding! We even saw the complete raza&rebuild of PKIs where Fraunhofer has created a new competence center around PKI and set up a new, TeleSec signed root-CA. Fun thing is, they are even offering 3rd person certificates free of charge! At least to their communication partners – and it is a still in the evaluation phase.

Besides, PKI “v2″  seems to have become more or less part of the infrastructure, as some smaller companies just decide to go the KISS way and deploy a Microsoft PKI (not that it is easy to create one works, and works the way you like it to work – thorough planning is recommended!). Fun thing is, I even heard vendors say: “uhhh, if it is only x,000 people and it is just for authentication – do your customer a favour and stick with a ´simple´ solution”. By `simple` one meant “low on license cost and maintanence”, at least that is what I derived from it.

Anyway, integration and proper use is always key to the success of such a technology and thus I am pretty sure that if there is a use case and a direct application, any company can benefit from setting up a PKI. Especially in those situations where there are tokens and/or smartcards available as certificate containers, that are used as comapny badges or access tokens for PACs or time & attendance solutions. Hm, … now I do sound like Mr. Self-Fulfilling Prophecy, don´t I? Anyway, if I use my crystal ball I definitly see more integration and thus convergence, and PKI with multifunctional smartcards are part this as well as the use of SSO and centralized IAM!

Have you ever encountered procedural problems while re-engineering your hiring process, retirement or resignation processes to adopt it to your brand new IAM solution? Did you feel that modifying your IAM system to cope with all the different requirements, access rights and approval chains might as well be tackled through writing your own IAM system? Fine! Then you are in the best company you can imagine, because almost everybody went through that deep sorrow you feel. Now imagine you have to do this all for each and every external identity your company deals with in every business unit – do I hear a muffled sobbing, or – is it somebody screaming loud and running away in pain?

The average IAM project either comes to ist limits with managing all internal identities, logins, usernames and access levels one can have. Adding external resources and having them provisioned with all necessary rights – and especially restrictions! – may well go beyond what your vendor claimed his software was capable of doing. That is seldomly a matter of technology, or better, seldomly ONLY technology related, but deals greatly with managing the rather weird processes of hiring and getting rid of external labour resources. Want an example? Here we go:
imagine a big broadcasting company, or even better one of the monolithic public broadcasting services here in Germany.
Now imagine this behemoth has to deal with new media, such as IPTV, on-demand content and the like – could and would this be done by internal resources?
I bet there would be dire need for some technophilic and hip member of the blogosphere to chip in his techno-magic skills!
With deadlines approaching fast and youngsters being too reluctant to get an official full-time emloyee (FTE) working contract (not that positions like these could not be generated out of thin air at a public broadcasting station!), one would aim for the “external editor” model. So far – so good!
Now that our young heroe is NOT going to be a FTE, the usual way of getting him access to networks, laptops, servers and apps – the way through the HR hiring process – will definitly not work for him. He will not get a HR ID as he will not get regular payments, and as such he will not be provisioned through the official channels. Maybe HR does not even get involved until some later point in time if the chief editor has his own budget for external workers.
In addition, the standard processes would not be of any assistance as the new guy would need access to systems that are probably not part of the global provivioning procedures or – even worse – that guy would need administrative access to some production machines!
Therefore, designing special processes for hiring and changing externals as well as managing access rights and priviliges for them without having to get them into all the internal directories and databases is definitly a MUST for big IAM projects. Roles and rights management should accomodate for external and internal resources – thus making exceptions the norm.
Really sounds like a nightmare huh?
Come to EIC 2008 and join my colleague Felix Gaethgens and me in our session “Managing External Identities”!
Looking forward to meet you in Munich and find ways to wake up from that nightmare!

During my recent analyst calls and briefings I came across a bunch of companies and products that all start to tackle an area I have been interested in for quite a while:

getting the “holistic security” approach well beyond the borders of our mindset – beyond the digital realm! Being a CISSP and full of interest for social engineering as well, ”security” has always been a wider topic to my understanding. And it looks like the industry is catching up…

First of all, there are those companies that try to bridge the management gap between native systems of both worlds, such as IDpendant. Then there are coampanies such as Imrivata with their SSO appliance or Made4Biz with their “Dynamic Security” product, both of which use combined functionality of established time&attendance (physical access management) solutions together with mechanisms in the IT access management (authentication) domain.

For IDpendant, making the joint administration of access cards (time&attendance with RFID, Legic/Mifare), digital identities and certificates is the main focus – one that I find to be most attractive as lifecycle management for cards and certificates has only recently be added to the functionality of the Identity Lifecycle Manager, property of Microsoft. Microsofts solution does lack the “physical” side though, and that is where the XML oriented middleware kicks in that IDpendant uses to get things together. Getting the RFID object out of the card and writing it to a field in the AD while creating a certificate through the CA at the same time AND getting the card layout printed to the blank card (personalization) is a pretty nice piece of integration work.

Now that Imprivata and Made4Biz are able to get the “attendance” part of the physical solutions as input for their authentication process. the “real integration” of the realms seems to be getting closer! Users can only log in to their workstations if they have previously swiped their access card – nice! Even if users share their passwords, misuse is countered through the deactivation of “absent employee users”.

Well, not all that shines is gold (uhh, german sayings…) – there are definitly flaws to that approach, but I see rising interest the topic…

Would love to hear from you guys – thoughts, comments?

PS: on a sidenote, Imprivatas “ProveID” concept is pretty cool – it actually provides IAM technology (authentication, that is) for applications without the
need to implement that for each app. Quite the idea behind our KCP vision of layered IAM – simply an authentication layer that pops up any time you need it!

Ok, nothing is more boring than yesterdays news, I guess!

Despite this oh so true statement, especially in the blogosphere, I would like to rant about SUN’s recent acquisition of VAAU, a small company that offers tools around role mining and role engineering as well as compliance.

I had the sincere pleasure to work with some of the VAAU EMEA people and found both their tools and their approach to be very exciting. SUN in Germany is also very excited – at least the SUN guys I talked to lately – and they are eager to put their new tools to work exclusively, bearing in mind that VAAU was open to most IAM vendors before and will now probably go exclusive with SUN ID Management solutions. I´d say this is quite a punch for the remaining bunch…

Same as SAP has to prove that their Maxware deal was worth the prize, SUN now has to make sure that the competitive advantage of exclusive access to VAAU technology can be supported with special ties and deeper integration with their IAM solutions. I intend to closely watch these guys next year, and probably have a chat or two with representatives of both sides! This is an invitation – but you know that, don´t you?

See you all soon

Sebastian