Published: 01 May 2008
|Feature-rich suites are putting a face on integration and interoperability.
Compliance and consolidation are at the forefront of IT security, especially when it comes to identity and access management (IAM).
Today's regulatory environment requires companies to track and control who has access to what. Meanwhile, the tools for managing that access have grown from sets of distinct products into full-blown suites. It's a result of the wave of acquisitions overtaking the IT security marketplace, with larger vendors gobbling up smaller players to broaden their security portfolios. Even companies not known as traditional players in the IAM market, like database giant Oracle, have jumped onto the playing field.
And identity and access management is hot. In a study released earlier this year, Forrester Research projects the IAM market to grow from $2.6 billion in 2006 to $12.3 billion by 2014, driven largely by compliance.
Forrester also notes that enterprises are shifting away from point products to integrated, feature-rich identity suites to ensure interoperability. Companies are looking for solid players that will be around a long time, grow with them and provide support. Suites offered by established industry players meet this requirement. But they can be time-consuming and costly to deploy, and not live up to their promise of providing an identity panacea.
Prior to 2005, the traditional players in the IAM market were Novell, Sun, IBM and Microsoft. They offered basic identity management products linked to directory services, such as Active Directory (Microsoft) and LDAP (Sun). Other vendors at the time were SAP, BMC, CA and RSA Security, offering various pieces of the identity puzzle such as provisioning and authentication. Many smaller players offered niche products like role management and virtual directories.
Then two things happened in 2005: compliance with regulations such as Sarbanes-Oxley (SOX) started to hit full swing and the acquisition wave took hold. Oracle surprised industry observers with its purchases of two start-ups, user provisioning vendor Thor and virtual directory specialist OctetString. The additions followed Oracle's acquisition that year of Oblix, a supplier of Web access controls. Also in 2005, CA acquired software from InfoSec to clean up obsolete identities, and BMC grabbed Web access vendor OpenNetwork Technologies and Calendra, a supplier of directory management products.
The consolidation wave continued in 2006. Sun acquired Neogent, a product for automating identity management, while RSA acquired Web site authentication companies Cyota and PassMark Security and in turn was snapped up by storage giant EMC. Last year, Oracle bought Bharosa, a supplier of strong authentication for Web sites, and Bridgestream, an enterprise role management software company, while Sun purchased Vaau, another role management vendor. The Vaau acquisition is the cornerstone of a plan announced by Sun in March to expand its IAM suite and face Oracle and IBM head on. In March, IBM acquired enterprise single sign-on (SSO) vendor Encentuate.
All these acquisitions have largely shifted the IAM market to a few big players offering integrated suites. There are plenty of small vendors offering standalone products, but three areas in particular could be potential takeover targets for larger vendors looking to round out their suites: enterprise SSO, virtual directories and privileged account management.
Identity and access management suites combine technologies that fall into four broad, interrelated categories: identity administration, identity infrastructure, access management and auditing.
Under the identity administration umbrella sits user provisioning, role management, privileged user account management and enterprise role management. The distinction between role management and enterprise role management is important. While traditional role management is static, just setting up users in roles and groups, enterprise role management is dynamic. It is role-based authentication that can cross multiple business units and functional areas in a company and be flexible to shift around roles as the structure of users changes through company growth and acquisition.
Identity infrastructure includes anything holding identity information: directories, virtual directories and metadirectories. Access management includes overseeing access to multiple applications as well as SSO technologies, both for the enterprise and the Web, and federated identity management, a close relative of SSO. Auditing includes keeping track of users and their roles, which overlaps a bit with all of the above.
Andras Cser, Forrester senior analyst, says enterprises are looking to integrated product sets for interoperability and streamlined support; it's easier to get a technical fix with a suite than with individual products. Pricing is another motivator. "If you're trying to buy a lot of functionality and even if you don't need it, the chances of getting and buying functionality are cheaper," he says. And for the most part, suites have caught up with point products in functionality, Cser adds.
Aside from helping enterprises avoid the integration headaches associated with separate products, suites can allow companies to centralize access management functions. They have a single GUI or Web interface with dashboards for providing provisioning, managing roles and groups and for managing directory services.
Integrated suites also centralize directory management, making different directory services like Active Directory and LDAP play together. Many companies use a mix of systems--mainframes, Windows and Unix environments--that were cobbled together as they grew internally or through acquisitions. Rather than rip out all their perfectly operational identity plumbing like RACF, Active Directory or LDAP, most enterprises would rather work with their existing directories. They just want the ability to manage them all with a single tool. The need to work with different directory services, which can't be easily consolidated or replaced with a single directory service, is a fundamental issue for many large enterprises.
Another advantage with IAM suites is the ability to produce reports. Report- ing is at the heart of compliance with regulations like SOX, HIPAA and industry standards like the Payment Card Industry Data Security Standard (PCI DSS). Rather than relying on another product like Cognos or Actuate to crank out a report, a suite may be able to generate reports and store the data in a database for retrieval. An example is Oracle Access Manager, which leverages the company's database capabilities to store access information from different components of the suite. It has pre-built reports that can be used for compliance purposes to identify who has access to what systems. The report templates can also be used for incident management to record user access attempts or failed logins--a tell-tale sign of hacker mischief.
Reports may be Web-based or in hard copy for auditors and regulators, and they may also be integrated with security information management systems, as CA does with its suite.
Second, not every product set excels in everything. A product that is outstanding in provisioning may not be as good at reporting, for example, or its GUI or Web interface may be difficult to navigate.
The growing set of features in suites also makes buying decisions more difficult. The business requirements of most companies don't always match one-to-one with every feature. According to Forrester, this is further complicated by more stakeholders such as auditors and non-technical business people involved in the selection process and purchase of an identity solution
While suites generally offer broad functionality, they tend to lack two newer technologies: virtual directories and privileged account management. Virtual directories are servers that can access identity information in real time from multiple sources in a single view without storing identity data themselves. This allows multiple directories to be queried by accessing only the virtual directory, which, in turn, accesses the physical directories to answer the identity query. Virtual directories are used for SSO and federated identity management. Only Oracle, Sun and SAP have their own full virtual directory capabilities.
And privileged account management, which protects system administrator accounts, is in demand because of compliance concerns, but isn't fully represented by any of the major IAM suites.
As the mix of systems, portals and applications-- whether Web-based, client-server or mainframe-- becomes increasingly complex, the need for tighter access control will grow as companies work to meet compliance demands. This will require the type of fine-grained entitlement management not currently found in IAM suites. Entitlement management further restricts access to systems and applications beyond just the types of roles and groups in traditional access management systems. It can involve restricting access based on time of day, geographical location or even type of transaction.
Compliance requirements are also affecting the growth of the IAM suite in the area of multifactor authentication. An example is the directive in 2005 from the Federal Financial Institutions Examination Council (FFIEC) recommending two-factor authentication for Web-based banking. So not only do IAM suites have to handle standard user IDs and passwords, they're now expected to handle smart cards, one-time password (OTP) tokens and even biometrics.
This trend will grow as IAM suites will also have to bear the burden of the integration of logical and physical security, much of it underpinned by smart cards and other two-factor authentication devices.
The evolution of IAM suites is driven both by the natural trend of consolidation in all industries and market demand for compliance tools. Compliance doesn't equal security but, for better or worse, compliance is king, and IAM suites are just following the lead.