The shortcomings of common SOA security approaches

26.11.2007 by Martin Kuppinger

These days I have written a report on the relationship between IAM (Identity and Access Management) and SOA (Service oriented Architecture/Applications). One major aspect of this relationship is around end-to-end-security, e.g. securing the interaction of a user with an application (and the application which implements a business process) up to the backend systems like databases.

That is inevitable because using a service in the context of an user identity or an user role is the only way for consistent, externalized security instead of coded security where some return of a service is filtered by the application depending on the user’s role. Coded security is contradictory to compliance, obviously. It’s expensive in terms of coding and auditing. Thus, it doesn’t make sense.

On the other the most common approaches for web service security are constructed the same way as web access management solutions: Building a layer in front of the services which uses policies to decide how services are used. That includes some part of authorization and sometimes authentication. The problem is: Using such an approach means that there is definitely no end-to-end-security. From my point of view, there is no alternative to federation to transport claims down to the service level. That is the only approach for real end-to-end-security and thus for applications which are architected to fulfill the increasing compliance requirements.


MDM, EAI, IAM, Data Quality

22.11.2007 by Martin Kuppinger

At a workshop I have held yesterday I had an interesting conversation about some aspects of IAM – especially the way, IAM products are developed without reuse of existing technologies. The discussion isn’t really new to me. I have discussed some of the aspects some five or six years ago with one of the leading IAM vendors. A fruitless discussion, by the way.

MDM, e.g. Master Data Management, is a concept for building and maintaining master data, for example for supplier data or material data. There is no real difference to what meta directory services are providing. The only real differentiator are the specific connectors. But the basic concepts are the same. The concept of delivering data quality is inherent to MDM, sometimes based on sophisticated pattern matching approaches. That raises the question: Why don’t we use these technologies for many of the aspects which are done today by proprietary IAM products?

EAI, e.g. Enterprise Application Integration, is an approach for using sort of bus systems to connect different systems and to exchange any type of information. Some two days ago a vendor told me that some of its customers are using EAI (or enterprise service busses) to exchange SPML for the integration of different provisioning systems. Siemens, by the way, used such a technology some time ago. The customers argued about the complexity of this approach. On the other hand such technologies are widely deployed in larger corporations, are very flexible regarding their connection to databases and the core business applications, and ensure a reliable transport. Thus, they often provide functionality which is missing for example in provisioning systems. Again this raises the “why” question.

The provisioning-specific workflows are another example, even while the vendors start to fix this and to support other, external workflow systems which often offer a broader functionality and interfaces to process management tools.

My answer to the “why”-questions is pretty easy (and in fact, it are two answers): I assume that many of the architects of today’s aren’t familiar with the concepts I’ve mentioned and other important IT concepts. And you can’t use what you don’t know. The second part of the answer is: In the first step it is much easier to build a system without integrating these sometimes pretty complex approaches. But on the long run it’s inefficient.

Besides this there are two perspectives: From the IAM only perspective using MDM or EAI as a foundation leads to more complex products. From an overall IT perspective, it leads to less complexity. Thus, it is also a question of the point-of-view. Anyway: I believe that it a least will be helpful to have a look beyond the common IAM approaches. That’s what vendors really should do these days. The example of workflows which are more and more externalized proves that there is some need to do that. By the way: Doing that might as well lead to new competition. Think about MDM or EAI specialists and some other company which focuses on connectors. There might be interesting business models for both of them to successfully compete in the IAM business.


Why IT cost management requires IAM

22.11.2007 by Martin Kuppinger

Have you ever thought about assigning the IT costs in a correct manner? Services and IAM will help you. Services are a means for a more granular view on what IT provides. That is true as well for the IT infrastructure services which are, for example, covered in ITIL. It is true as well for the services used in SOA concepts. But services aren’t sufficient. The assignment of IT costs requires the knowledge about the user. Who is using which services in which frequency? This question has to be answered as well. That means, that you have to know in the context of which user a service runs or – more abstract, for infrastructure services – is used.

Thus, bringing IAM and BSM together and combining IAM with SOA is the foundation on which a more efficient IT cost management could be build. And it is, as well, the foundation for the thing I would call ERP for IT.


Sun is back…

15.11.2007 by Martin Kuppinger

It has been quiet around Sun Microsystems at least in the IAM space for some time. Being one of the companies pushing the market some four years ago, especially with their Waveset acquisition, there hasn’t been that much news for some time. For sure there were still a lot of improvements in the product. But other vendors like Oracle and SAP have had much more attention – especially due to their acquisitions. And some interesting things Sun has done like their early entry into the audit space or their virtual directory technology never obtained much attention, for different reasons.

The audit capabilities, for some time now part of the Sun Identity Manager, probably came a little bit to early. The virtual directory technology, on the other hand, is part of the Sun Directory Server and thus not a real competitive product to the standalone solutions in the market. From my perspective, Sun should decouple these products.

But back to the silence around Sun – it ended yesterday. Or, to be honest, it ended some days ago when the rumors around the planned acquisition of Vaau became more frequent. Yesterday the official information about that deal was released. Sun invests in the IAM space – and aquiring in the role management space for sure is a good thing today in these days because role management is one of the most important areas of the IAM space. Sun increases its competitive positioning with Vaau. That’s a good signal – for Sun as well as for the market, because more competition is always positive for the customers.

For sure we will have to observe the integration of Vaau technology into the Sun IAM portfolio. But with its audit capabilities, with Vaau and with being amongst the first vendors to support the new web service interfaces of SAP GRC Access control, Sun is definitely back and working on its positioning in the IAM space. So they are not only one of the early innovators, but they appear to be back in track for a leading position in the market also for the next years.


Proofing the need for an application security infrastructure (budget)

15.11.2007 by Martin Kuppinger

One of the emerging topics in the broader IAM space integrates GRC and Identity Management: Identity Risk Management, including aspects like Identity Risk Metrics. Identity Risk Metrics are used to measure specific aspects of Identity Management. These metrics can be mapped to risks and thus serve as a means to detect and, in the next step, reduce risks. Such metrics can be defined in many areas.

May be the most interesting are Application Risk Metrics – in the context of digital identities. Elements of this category are things like

  • Usage of central identity stores (instead of application specific identity stores)
  • Sensitive attributes in decentralized identity stores
  • Sensitivity of the application and its data
  • Supported authentication mechanisms and their strength
  • Number of user accounts
  • Encrypted storage of passwords
  • and many others…

The analysis of these Metrics automatically leads to a clear view on the level of centralization of Identity Management and, combined with the risk view, to a clear rating of risks which exist due to decentralized user management on the application level and the lack of an application security infrastructure.

Measuring these Metrics can clearly lead in more management support for building application security infrastructures and changing the way security is implemented in applications. It is not very difficult to do this sort of analysis. It doesn’t need a specific Risk Management software, it is just about identifying the applications (which is the hardest part) and counting – and may be some analysis in Excel. And it is about mapping the result to defined risks and to provide an answer on the question of “how to reduce  the risk”. The answer is quite obvious – it is the approach of application security infrastructures.

And that is just one example of what you can do with Identity Risk Metrics.


IAM and the midsize market

08.11.2007 by Martin Kuppinger

The ones who are reading our newsletter or the articles at our website for some time know that IAM for the midsize market, e.g. the not that big corporations, is one of my favourite topics. Today I had an interesting discussion with a vendor who raised the question which vendor will dominate that market. There are four options:

  • SAP
  • Microsoft
  • IBM
  • The rest

SAP is a favourite for customers which are still using SAP as their strategic ERP platform. Microsoft enters the customers via the Active Directory. IBM is still there, at least at most of the midsize companies. Thus, everyone else has to prove that he fulfills the needs of midsize companies better than the other ones. Some vendors, mainly with regional focus (e.g. only US or D-A-CH or somewhere else) are delivering specific solutions for this market. That goes beyond licensing and means to support pre-defined processes, optimized connectors, best practices and so on.

I personally believe that it won’t be only the three I have named explicitly. Every vendor who is able to deliver a real midsize offering will have a good chance to win customers – just because there are so many corporations which require an IAM solution…


Posted in IAM market | 1 comment
© 2015 Martin Kuppinger, KuppingerCole