Compliance requirements of large enterprise customers are too complex to satisfy with organically grown role management software. As a result, it appears that the role management acquisition storm is starting. With BridgeStream acquired by Oracle and now Vaau by Sun, enterprise role maintenance is finally coming of age and will be part of Sun's Identity Management portfolio. Vauu's large number clients will continue to demand vendor agnostic solutions from RBACx, and although Sun has traditionally been one of the strongest players in the market of multi-OS vendors, it remains to be seen how Sun will handle the multiplatform challenge and keeping RBACx alive non-Sun operating systems. System integrators now have one less choice for picking an independent role magagement vendor. Eurekify, BHOLD, and Omada will likely now to receive acquisition offers from other large IAM suite vendors trying to complete their provisioning role management portfolio.
The consolidation of the IAM market is not a new phenomenon and has been following the following pattern: a large software company with a follower IAM product set acquires a smaller IAM vendor with a proven track record to update the IAM product and services portfolio and to secure increased market presence. The acquisition of Securent by Cisco is fairly different and highlights the following trends: 1) Entitlement Management is needed so much by the market that Cisco – even though it has not traditionally been a player in the IAM space – enters the market first with an Entitlement Management product. It is surprising, as only CA has an EM product today – all other IAM vendors are still trying to build their own as the other serious competitors on the EM market, BEA ALES is not for sale as a startup. 2) Entitlement Management may be moving (along with to IAM) to operations and to the network protocol level. In fact, Cisco intends to incorporate the Secucent EMS product into the policy engine of their SONA architecture. Policy Enforcement Points (PEP) are currently implemented at the application endpoint. With this acquisition, in the future customers can implement hybrid PEPs distributed between the network and the application, thus starting to move non-business policy logic into the infrastructure layer.