CA acquires Eurekify

17.11.2008 by Martin Kuppinger

Another acquisition in the IAM and GRC has been announced that weekend. CA decided to buy Eurekify, a role management specialist with specific strengths in role mining, based in Israel. That adds to the recent acquisitions in that field, like Sun with Vaau or Oracle with Bridgestream. The CA/Eurekify deal is somewhat special because Eurekify has been more focused on pure role management than Vaau or Bridgestream. Thus, there won’t be much overlap to CAs current portfolio.

The acquisition proves that CA is willing to invest in the IAM and GRC markets. There has been some time after the acquistion of Netegrity where we hadn’t heard that much from CA – but with the R12 release of their Identity Manager, with focus on integration of own and acquired technologies, and now the acquisition of Eurekify, CA is definitely back in the game.

From a market perspective, the acquisition is pretty interesting. First of all, the opportunities for other players in the market to become acquired are less than before. On the other hand there are still some few big players which might to invest in role management and GRC specialists.

On the other hand, there are some new options for companies which are strong in role mining – like the swiss IPG AG or the italian Engiweb. Eurekify had many partnerships with Identity Management vendors. I don’t expect other vendors to stay with Eurekify now that it is CA. Thus, some vendors will have to choose new partners in the not that long list of Role Mining and Role Management specialists (or, in the case of Engiweb, vendors that support Role Mining/Management amongst other functionalities).

Posted in Uncategorized | Comments Off

Backup in the cloud

11.11.2008 by Martin Kuppinger

Within the last days I tested several solutions for backup and storage in the so called “cloud”, e.g. by service providers in the Internet. I learned some interesting things:

  • Backup in the cloud is amongst the most mature cloud services
  • At least in some cases
  • There are still some weaknesses, including performance, platform support,¬†and costs
  • And few vendors provide a strong ITIL and SLA support
  • And, like with all other cloud services, backup in the cloud requires a clear “cloud strategy”

If tested solutions of different vendors, as well local players in Germany and Switzerland as international vendors like Mozy. The best one I’ve tested was a local supplier in Switzerland, with a very detailed description of its service, comprehensive forms for SLAs and so on. And with a strong technical foundation, supporting virtually any type of operating system.

But, in general, most service providers I’ve tested delivered a reasonable solution for backup and restore, with easy to use software and very simple setups. These were sufficient for the home user and may be for small business. But at the level of medium-sized businesses, many of these solutions aren’t sufficient. No support for a central management of multiple servers is one of the typical shortcomings.

One of the issues is performance. With ADSL, backup always is relatively slow – at least compared with disk-to-disk backups. Compared with tapes, it isn’t that bad… A bigger issue was, in many cases, the platform support. Some solutions were Windows only, other didn’t support 64-bit versions of Windows Server. That is one of the aspects which always should be evaluated. Another aspect is the pricing. Some solutions started very low but backing up a few 100 GB – not uncommon today – was pretty expensive. Thus, prices should be calculated for expected amounts of backup data to compare different license models.

The documentation of services was often pretty weak – which is an issue if backup in the cloud becomes a vital part of the business continuity concept of IT. It is worth to talk with the vendors about this. For sure you can argue that you could just use two different providers for “failover” – but even then you should ensure that both provide a high quality of service.

Finally, backup in the cloud requires trust to the vendor. You should think about that. Whom do you really trust?

Besides this, backup is only one element of cloud strategies. The more services you use from the cloud, the less you have to care about backup, because that should be part of what the service provider delivers. Thus, long-term contracts might be a lock-in when more services are sourced from the cloud. In general, I strongly recommend to first define a cloud and virtualization strategy and than to start even with basic services like backup in the cloud. Even while backup is easy to implement, you should have a defined list of requirements for your cloud service providers.

Posted in Cloud | Comments Off

Who should be in charge of IAM?

11.11.2008 by Martin Kuppinger

This morning, I had two conversations on the question about who should be in charge of IAM in an organization. Afterwards, I run through my records and did some analysis. The main question: Which role do the IAM and GRC responsibles have in their organizations? I for sure only did a sample and asked myself the question how I’d rate what they were doing.

First of all: There are many good IAM implementations driven by IT administration or IT infrastructure. But, interestingly, the most advanced implementations, with a scope beyond administrative IAM, are usually driven by others – Compliance officers and GRC departments, CIO offices, CISOs, and others. Anyhow, an administrative project might have as well a strong strategic background if done correctly.

What is much more important is that there are approaches which are likely to lead to solutions with a too limited scope, especially in these days of increasing GRC requirements. Amongst these are

  • Projects with a strong IT service focus: IAM and GRC go well beyond IT operations and the automation of service desk requests. Business control, the implementation of business roles and rules, and new business models which integrate external users and make use for example out of the technologies of user-centric Identity Management might not be considered in a sufficient way. Not to talk about application security concepts.
  • Projects with a strong security focus: Yes, IAM and GRC can improve security. But they are not only about security, but as well about business control and, in general, Business/IT alignment.

My expectation is that GRC platforms will become the business control layer for IAM, like mentioned in our new reports “IAM and GRC roadmap 2009″ and “Trend report IAM & GRC 2009″, both available at

In that context, the responsibility for at least the IAM strategy has to be at a level with a holistic view, e.g. the GRC responsibles like a Chief Risk/Compliance Officer or the CIO. The execution of different parts, in alignment with that overall strategy, will than be for example at the IT operations department. But, if the question is “who should be in charge of IAM?”, the answer clearly is that it has to be someone who has a broader view on IT. IAM is tightly connected to BSM. It is tightly coupled to GRC. And there are no secure applications and business processes if the relation between application architectures and IAM isn’t fully understood.

Posted in CIO agenda | Comments Off
© 2015 Martin Kuppinger, KuppingerCole