Oracle Acquires Passlogix -- A Signal That eSSO Is No Longer A Separate Market

In a rather unsurprising move, Oracle acquired its longtime OEM partner of eSSO solutions, Passlogix. The sale has closed after a relatively long courtship – the eSSO market has been consolidating for a long time: Novell’s OEM agreement with ActivIdentity, IBM’s acquisition of Encentuate all signal IAM stack consolidation. Beyond the obvious — 1) eSSO integration with Oracle Access Manager and Oracle Adaptive Access Manager to integrate with web single sign on, 2) a multitude of second factor and adaptive authentication mechanisms using v-GO User Access Manager, and 3) using v-GO SSO’s screenscraping technology to create Oracle Identity Manager connectors to arcane, no-CLI systems — large tasks remain for Oracle: a) providing access management for mobile devices and b) getting to be a credible player in Privileged User Management (where Passlogix’s v-GO Shared Accounts Manager is a second-tier player).

CA Acquires Arcot, VMWare Buys TriCipher

How  Authentication-as-a-Service becomes a part of leading IAM stacks and why virtualization is no longer a viable technology without identity and access management.

CA’s acquisition of Arcot signals that partnering with an adaptive authentication vendor is no longer enough to offer a comprehensive access management strategy: you’d also have to have an adaptive authentication product to allow your customers to retire costly physical tokens. But this is not the primary reason  CA picked up Arcot. It is Arcot’s thriving hosted authentication and fraud management services that were the most lucrative assets to CA. Adaptive authentication is part of any organization’s fraud management strategy — however, CA’s inexperience here leaves a few questions to be answered. Will CA keep and grow Arcot’s fraud prevention service? If so, how will it integrate fraud management with IAM? The requirement for integration is clearly highlighted by Forrester’s conversations with its FinServ and other verticals’ customers.

Read more

Enterprise Role Management - New Podcast!

Last Monday, Stephanie Balaouras and I recorded a podcast on a recent hot topic amongst Forrester clients — Enterprise Role Management (ERM). For the most part, people understand fundamental provisioning so I wanted to take this time to go through ERM in a little more detail.

Over the past few months, I have been asked many questions about taking ERM to the next level — about how to expand and automate identity management infrastructure. Before determining whether this is the right step for your company, however, it's important to understand the two most important benefits from doing so and also recognize the prerequisites.

Among others, two benefits of ERM are security and compliance. Achieving a more mature role management system will increase your organization’s security around information sharing, and it will enable understanding of the segregation of duties. Before achieving this level of security and compliance,  it’s important to simplify your identity repository and create a clear-cut set of records. This allows for a recertification phase when managers can take the time to revoke or grant access to existing accounts. Once you have created a clean, up-to-date role management database, your organization is ready to look forward to taking ERM to the next level.

After speaking with many clients on this topic, I have garnered a solid list of best practices that everyone should be aware of before attempting to strengthen any ERM system. These practices include data points around user population and recertification timelines, whether or not a hierarchical approach should be adopted to organize roles, and the value of tools such as Web single sign-on and security incident and event monitoring as they relate to role management.

Read more

Cisco's Path In Entitlement Management

Andras Cser

While waiting for the pan-out of the Cisco System's acquisition of Securent, I can't help but wonder how Cisco is going to develop the Securent technology in its future products. Will the Securent policy engine (PDP) be used 1) as a main point for policy management and enforcement for network equipment, OR 2) will they continue using the product along the 'Securent-intended' path: enforcing fine grained application level policies by integrating policy enforcement points into applications, OR  3) managing fine grained authorizations on the network layer (without the need to open up applications), similarly to BayShore Networks, Autonomic Networks, and Rohati Systems? Without a comprehensive identity and access management offering (IAM), Cisco will probably be fit best to do 1) and 3) described above. This seems most consistent with Cisco's background and culture.

Hitachi acquires M-Tech Information Technology

Andras Cser

The number of pure-play vendors in user account provisioning decreased on April 7, 2008 when Hitachi announced that it acquired M-Tech Information Technology, and changed the name to Hitachi ID. Although Hitachi has been lacking an identity and access management (IAM) pedigree, this move can prove important due to the following reasons:
1) Using IAM for provisioning of physical resources and hardware resources.
2) Extending enterprise role definitions to previously uncharted verticals and cultures.
3) Evangelizing user account provisioning and IAM in Japan and other APAC regions.
4) Hitachi becoming a major player in Japanese SOX (JSOX) implementation.

Needless to say, the above will hinge on Hitachi's ability to retain and grow the existing customer base of M-Tech IT in North  America and Europe, and also on  Hitachi's ability to compete against EMC's selling of  Courion and RSA products. How Hitachi will create an access and adaptive access management (Web and desktop) portfolio to complement its identity management and provisioning portfolio also remains to be seen.

IBM Acquires Encentuate

IBM acquired Encentuate for an undisclosed sum. This underscores the validity of Forrester's prediction that the enterprise single sign-on (E-SSO) market in identity and access management (IAM) will grow from E-SSO's $250 million in 2006 to $2 billion in 2014 - a CAGR of 28.5%. What are the likely implications of this acquisition in the E-SSO marketplace?

1.  After CA and Novell, now IBM will have a fully integrated IAM suite in which E-SSO will be first acquired, but later an organically grown product offering - provided that IBM is successful with integrating not only technologies, but the Encentuate engineering, support, and sales resources. Past experience with similar acquisitions show that this often sounds easier than it actually is.

2. Other E-SSO vendors (ActivIdentity and especially Passlogix) will lose some of their market share and will need to ramp up investment in product development to be able to keep their leading edge in product functionality.

Overall, IBM's move signals that E-SSO has become a mature and viable technology which - in conjunction with user account provisioning - will continue to drive the IAM market growth.

Ping Identity acquires Sxip Access

Ping Identity announced that it acquired Sxip Access for an undisclosed sum. The rationale of the acquisition is to allow Ping Identity's products to meet enterprise-wide, typically SSO challenges. This is important to be able to further extend Ping's market share with software-as-a-service providers. Is it a breakthrough?  Hardly. Questions still remain as to how major enterprises can integrate Ping Identity's new extended product line with an existing infrastructure in identity management and provisioning. Forrester increasingly sees broken ladder steps in the progression from the SMB market to the enterprise market for those identity and access management (IAM) vendors that have incomplete IAM product lines. Ping Identity still needs to make substantial investments to build an IAM suite, or forge strategic partnerships with pure-play provisioning and role vendors to successfully compete long-term in the IAM arena of large vendors.

OpenID family grows – How it can transform Identity Federation between enteprises

With Google, IBM, Microsoft, VeriSign, and Yahoo! joining the OpenID Foundation, we may actually feel that something in federated access management is going to change. It is finally not the case of a vendor proposing a new standard – and adding to the cacophony of federation standards – but a set of moves towards a simple technology that today can alleviate password management woes at service providers.

Technology aside, OpenID will greatly help with reducing and removing the legal obstacles in the way of  identity federation’s proliferation. When payment-grade, commercial, and trusted identity provider service becomes a reality – VeriSign’s joining the OpenID camp clearly points in that direction – and software-as-a-service companies (like salesforce.com),  accept OpenID authentication from these trusted identity providers, then enterprises can truly start thinking about outsourcing password management identity management processes. When required, strong authentication integration with OpenID can rely on VerSign’s VIP or other vendors’ strong authentication acceptance network.

Read more

New Year's Resolutions for choosing online retailers

With CardSpace and Higgins being in nascant and almost non-existent market adoption mode, you may wonder what authentication features you want to be looking for when shopping online. Usernames and passwords are a thing of the past: you can safely assume that you will use a computer to log in which has a keylogger or trojan capturing your keystrokes, and with it your username and password.

Savvy customers are increasingly turning towards online retailers and financial institutions which provide at least some form of multi-factor authentication to protect against password theft. The following list gives a compass to consumers and vendors to navigate the misty waters of online transactions.

Smart cards / USB tokens (very costly, high level of security, great user inconvenience)

Hardware based solution that contains applications, PKI certificates used to authenticate to a site. These cards can include a magstripe for physical access management and RFID proximity sensors.

Read more

Categories:

Sun acquires Vauu

Compliance requirements of large enterprise customers are too complex to satisfy with organically grown role management software. As a result, it appears that the role management acquisition storm is starting. With BridgeStream acquired by Oracle and now Vaau by Sun, enterprise role maintenance is finally coming of age and will be part of Sun's Identity Management portfolio. Vauu's large number clients will continue to demand vendor agnostic solutions from RBACx, and although Sun has traditionally been one of the strongest players in the market of multi-OS vendors, it remains to be seen how Sun will handle the multiplatform challenge and keeping RBACx alive non-Sun operating systems. System integrators now have one less choice for picking an independent role magagement vendor. Eurekify, BHOLD, and Omada will likely now to receive acquisition offers from other large IAM suite vendors trying to complete their provisioning role management portfolio.