IBM aims identity suite at compliance, audit pains

IBM has been on a shopping spree over the last several years to beef up its Tivoli identity and access management suite. Over the summer, Big Blue rolled out the results of its acquisition with Consul Risk Management, launching the Tivoli Compliance Insight Manager to automate the tracking and reporting of non-compliant behavior across the enterprise. In this Q&A interview, Joe Anthony, program director for identity management for Tivoli explained to SearchSecurity.com IBM's strategy moving forward and why some vendors, in his view, are moving away from point solution vendors to solve their identity and access management issues.

What are some common identity management changes and why would a company choose a full suite to address them rather than point solutions?
Customers have multiple problems that they're trying to address in their organizations. They may just have a user provisioning challenge, but in most cases they're trying to look at what they need to do throughout their company for all their compliance management needs. That usually runs the full gamut of how you address access management, how you address user provisioning, your directory and identity data infrastructure you're using to handle the identity metadata that you're going to leverage throughout the organization. An individual solution to get started is fine, but you want to look at what your total objective is over a period of time that the projects are going to run and if you are working with a vendor that's going to meet all those needs versus dealing with three or four different point vendors who will meet each of those specific needs. To put it into perspective, IBM acquired a bunch of point vendors and put them into one suite, correct?
We've done an awful lot of integration over the years. We've been very methodical and the acquisitions that we did make as far as assessing who we thought were very good market leaders at the time of the acquisition. Then we spent a lot of time and energy to make sure that the products were integrated and would address the customer needs. A recently published Burton Group report said IBM needs to prove integration of its usability features of Tivoli Identity Manger to build a cross-functional suite of products. Has cross-functional integration been an issue with the various acquisitions you have made?
It's been an area of heavy investment for us. You'll continue to see us put additional efforts there. It's one of those areas that no matter how much you've done, there's always more that you can do. We will continue to increase the level of integration across the products. The other area around our Identity Manager specifically, we have a version of the product called Tivoli Identity Manager Express – a lot of the features in there make it simpler to deploy it, easier to use, so there's screens tailored just for end users versus just a manager who is reporting things. We've taken the features and in the fourth quarter we will have a version of Tivoli Identity Manger that takes the best features of the express and makes those available on top of Tivoli Identity Manager. Let's talk about the benefits of deploying a single sign on. Is that really what your customers are looking for when they choose an identity management suite?
It depends. We'll often go in and assess where the customer is in their overall cycle of deploying an entire identity management infrastructure and we'll see where their greatest pain points are. Some customers do want to start with an enterprise single sign on because that has the most obvious impact to end users and they just want to go ahead and let them see an immediate benefit. Others have already taken a number of their applications and their Web-oriented applications and they may not go with a traditional enterprise single sign on product as much as managing it from an access management perspective and doing a Web single sign on so the end user doesn't even see the vast majority of what's going on. There's other accounts, where, as a result of an audit, they'll have very poor user provisioning policies in the removing of users from systems and they will focus on that right away. What are some of the complications that result in poor user provisioning policies?
If when people are leaving an organization, there is a policy that says that within 48 hours of a contractor leaving an organization you're going to remove their access from email, financial data systems and things like that. An auditor may come in 60 days later and find that none of those accesses have been removed. That will definitely get auditors off on a bad foot. The other area that is very common is the separation of duties problems. Quite often companies will go ahead and keep on adding additional permissions to an individual user so if they're worked in finance over a period of ten years and switched jobs once a year, they will have aggregated far too many entitlements within the finance organization. You would almost be guaranteed to have a separation of duties problem. An individual person would now have the opportunity to be authorizing new contracts, they'll have the authorization to cut checks, make payments, etc. and you just end up with a blatant separation of duties problems. When did identity management become so closely aligned with security? Wasn't it really off on its own for a long time?
As far as a basic need, it's been around since about 2000 and we've seen increased interest over the last three years where people are starting to realize that you can't manage it as a silo. We've advocated that customers make it as a very strong part of their overall identity and access management paradigm and that's how you drive compliance in the organization. Quite often individual companies will look at this as a silo, but we definitely need to drive the mindset in the organization that these things very much are intertwined and need to be looked at holistically across the business processes as well as the compliance and audit processes as well. What were the market conditions in 2002 that prompted IBM to step into the market? What did IBM see at the time in terms of the solutions it needed to provide?
I think we saw a definite need for that level of capabilities. At that time we saw that, in terms of capabilities, the level of increased functionality that we wanted to add to our own offering was definitely going to take us longer than we would have liked so we went out and did an acquisition in 2003 to jumpstart that next evolution of what we wanted to do with identity and access management. We acquired Access360, we assessed the different marketplace vendors at the time and thought that they brought the most to the table and we wanted to leapfrog where we were technology wise. At the time we did have an offering in the market, but we thought Access360 would allow us to deliver additional value to our customers faster.

Dig deeper on IT Security Audits

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close