Identity management projects can be complex and cumbersome, but vendors are figuring out ways to help enterprises ease into the technology.
Sun Microsystems Inc.'s new Identity Compliance Manager, which automates the process of certifying and auditing user access to data and applications, represents this trend, says Ian Glazer, senior analyst at Midvale, Utah.-based Burton Group Inc.
Sun and other vendors are offering enterprises a way to move into identity management by starting with access certification, which helps businesses meet various regulatory and internal requirements, and then grow into more complex projects, he said.
"It's a way of starting with something of reasonably high value and maybe a little less complexity and then grow that project into something that has complexity like role management or user provisioning," he said.
Sun Identity Compliance Manager parses out and builds on the access certification capabilities of Sun Role Manager, which was released in March. Role Manager was formerly known as Vaau RBACx; Sun bought Torrance, Calif.-based Vaau Inc. a year ago.
SUN's GRC strategy:
Sun shifts strategy with GRC push: Sun, is putting less emphasis on technology, focusing on a complete GRC portfolio that includes partnerships and services to address risk. Analysts said the new strategy would be a challenge for the vendor, which has traditionally focused on its open source tools.
Some customers shy away from full-scale role management technology so Sun wanted to offer the compliance capabilities as a standalone product, said Mat Hamlin, senior product manager at Sun. Several factors are driving an increased need for access control compliance, including regulatory pressures and insider threat risks, he said. Identity Compliance Manager "provides the answer of who has access to what," Hamlin said.
Access certification has gained more visibility in the enterprise and companies have been using a variety of homegrown and vendor tools to carry out the process, Glazer said.
Vendors offering standalone access certification capabilities include CA Inc., Aveska, SailPoint Technologies Inc., Hitachi-ID Systems Inc., Courion Corp., and Approva Corp.
Sun Identity Compliance Manager also provides segregation of duties enforcement and an entitlement glossary that translates cryptic descriptions of IT entitlements so business managers can understand them. The product integrates with user provisioning systems from Sun as well as from vendors such as Oracle Corp. and CA.
Nick Crown, Sun senior product line manager, said Identity Compliance Manager's access certification and segregation of duties functions provide a way to cleanse identity and entitlement data, which can then lead into defining roles that can be used for provisioning. He said the product is important for Sun's overall identity management suite, which includes Identity Manager, Role Manager and OpenSSO Enterprise.
"This provides a great first step for customers to take," Crown said.
"The market did have a tendency to put these enormous types of offerings out there that were just a little mind boggling to deploy," Glazer said. "We're seeing a little more nuance and focus on how some things can be more digestible for the enterprise."