Diving down to the details of access controls

12.08.2010 by Martin Kuppinger

Provisioning is important to keep access under control, as well as Access Governance solutions play a vital role in that game. However, there is a third group of applications which is commonly required: Tools which allow to dive into the details of access controls in specific environments. There are SAP specific solutions and tools for mainframe environments, XACML for standardized entitlement management for custom applications might be counted as well – and there are tools for the world of less structured information, like file servers, Microsoft SharePoint, and others.

These tools are important to enable a detailed analysis of access rights at the level of files, folders, and shares – when looking at file servers. Provisioning helps us to ensure that a user has an Active Directory account and is member of some specific groups. But what are these groups allowed to do – in detail? Some Access Governance solutions might provide some details, but typically not as specific as the expert tools in that area can do. And there are many tools out there. These days I spoke with Protected Networks, but Econet, Tesis, and ASB - to mention just some German vendors – can deliver on this as well, with somewhat different approaches and capabilities. And these are just some examples.

From my perspective, we need a layered approach – Enterprise GRC, Access Governance, Provisioning, and the specific tools for different important application environments. And we need to integrate these tools. That will enable organizations to fulfill the governance needs and compliance regulations at all levels – with an integrated approach and avoiding investing in point solutions.

By the way: If you as a vendor feel that you fall in that category (for AD and file servers, for SharePoint, for SAP), just keep us informed. We might have you on our watchlist but given that this is a market with many smaller vendors in, we might have missed you until now…


JanRain – identities for social networks

06.08.2010 by Martin Kuppinger

Amongst the different vendors I’ve spoken recently, JanRain is definitely one of the most interesting ones – and will most likely make it into the list of next year’s Hidden Gem vendors. JanRain has had some popularity as one of the initiators of OpenID and with their OpenID libraries and other related services. However, they have made an interesting move during the last years and now provide what they call a “user management platform for the open web”. In fact, they provide products for web sites and social networks to enhance the user experience around registration and the services which deal with user data.

Amongst these products are solutions which enable web site developers to quickly integrate registration features which rely on social networks such as Facebook – use your Facebook account to register… There are several other services on top of this. But there are as well capabilities for stepping up in the authentication depending on the types of interactions and transactions someone is doing.

JanRain has managed to find an appealing and obviously successful business model around identity services. They are not focused on any particular type of authentication like Information Cards or OpenID but provide the frameworks to deal with all these different approaches. And that is exactly what most organizations need today when building their online presence: Flexibility in dealing with different online identities and an user-centric approach which allows users to quickly and easily register. JanRain definitely is worth a look for any web developer and especially for all the people responsible for online marketing.


SAP adds an Identity Provider

06.08.2010 by Martin Kuppinger

SAP recently has announced that their SAP NetWeaver Identity Management 7.1 now includes an SAML 2.0 Identity Provider – it requires the Service Pack (or Support Pack) Stack 5 (by the way: who at SAP is responsible for product names??? SAP BusinessObjects GRC Access Control; SAP NetWeaver Identity Management 7.1 SP Stack 5;…).

SAP is commited to SAML (Security Assertion Markup Language) for a while now – and SAML 2.0 support is found at many places in the SAP portfolio. SAP systems can act as service providers in federation scenarios, with SAML 2.0 enabling the Single Sign-On and sharing of identity-related information. Using the identity provider within SAP NW IDM 7.1 SP 5 (to keep the name short and make it even more cryptic) allows to use a centralized view on identities within federation. The product can provide the unified view on identities which is a foundation for federation. Without identity information quality, there is no successful federation: Garbage in, garbage out.

The enhancement of the product shows where SAP is heading: It is a central element within the SAP NW infrastructure which provides all the identity services required in that infrastructure. There is tight integration with SAP products, but as well support for standards to integrate external applications – like with SAML 2.0 and the inherent support for Non-SAP service providers as well.

The other important enhancement in SP 5 are the Identity Reporting Capabilities based on SAP NetWeaver Business Warehouse. That enhances the reporting capabilities of SAP NW IDM 7.1 – but it requires to have the Business Warehouse product in place. Anyhow, the enhancements clearly demonstrate the strategy of SAP for NetWeaver Identity Management: A central piece in the SAP infrastructure, well integrated, and with standards support. The enhancements demonstrate another point: SAP is executing on its strategy consequently. Maybe a little too quiet, but they are moving forward.


© 2015 Martin Kuppinger, KuppingerCole