Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Identity Management Suites Enable Integration, Interoperability

IDENTITY MANAGEMENT Feature-rich product suites are putting a face on integration and interoperability.

Feature-rich suites are putting a face on integration and interoperability.

Compliance and consolidation are at the forefront of IT security, especially when it comes to identity and access management (IAM).

Today's regulatory environment requires companies to track and control who has access to what. Meanwhile, the tools for managing that access have grown from sets of distinct products into full-blown suites. It's a result of the wave of acquisitions overtaking the IT security marketplace, with larger vendors gobbling up smaller players to broaden their security portfolios. Even companies not known as traditional players in the IAM market, like database giant Oracle, have jumped onto the playing field.

And identity and access management is hot. In a study released earlier this year, Forrester Research projects the IAM market to grow from $2.6 billion in 2006 to $12.3 billion by 2014, driven largely by compliance.

Forrester also notes that enterprises are shifting away from point products to integrated, feature-rich identity suites to ensure interoperability. Companies are looking for solid players that will be around a long time, grow with them and provide support. Suites offered by established industry players meet this requirement. But they can be time-consuming and costly to deploy, and not live up to their promise of providing an identity panacea.

Prior to 2005
, the traditional players in the IAM market were Novell, Sun, IBM and Microsoft. They offered basic identity management products linked to directory services, such as Active Directory (Microsoft) and LDAP (Sun). Other vendors at the time were SAP, BMC, CA and RSA Security, offering various pieces of the identity puzzle such as provisioning and authentication. Many smaller players offered niche products like role management and virtual directories.

Then two things happened in 2005: compliance with regulations such as Sarbanes-Oxley (SOX) started to hit full swing and the acquisition wave took hold. Oracle surprised industry observers with its purchases of two start-ups, user provisioning vendor Thor and virtual directory specialist OctetString. The additions followed Oracle's acquisition that year of Oblix, a supplier of Web access controls. Also in 2005, CA acquired software from InfoSec to clean up obsolete identities, and BMC grabbed Web access vendor OpenNetwork Technologies and Calendra, a supplier of directory management products.

The consolidation wave continued in 2006. Sun acquired Neogent, a product for automating identity management, while RSA acquired Web site authentication companies Cyota and PassMark Security and in turn was snapped up by storage giant EMC. Last year, Oracle bought Bharosa, a supplier of strong authentication for Web sites, and Bridgestream, an enterprise role management software company, while Sun purchased Vaau, another role management vendor. The Vaau acquisition is the cornerstone of a plan announced by Sun in March to expand its IAM suite and face Oracle and IBM head on. In March, IBM acquired enterprise single sign-on (SSO) vendor Encentuate.

All these acquisitions have largely shifted the IAM market to a few big players offering integrated suites. There are plenty of small vendors offering standalone products, but three areas in particular could be potential takeover targets for larger vendors looking to round out their suites: enterprise SSO, virtual directories and privileged account management.

Identity and access
management suites combine technologies that fall into four broad, interrelated categories: identity administration, identity infrastructure, access management and auditing.

Under the identity administration umbrella sits user provisioning, role management, privileged user account management and enterprise role management. The distinction between role management and enterprise role management is important. While traditional role management is static, just setting up users in roles and groups, enterprise role management is dynamic. It is role-based authentication that can cross multiple business units and functional areas in a company and be flexible to shift around roles as the structure of users changes through company growth and acquisition.

Identity infrastructure includes anything holding identity information: directories, virtual directories and metadirectories. Access management includes overseeing access to multiple applications as well as SSO technologies, both for the enterprise and the Web, and federated identity management, a close relative of SSO. Auditing includes keeping track of users and their roles, which overlaps a bit with all of the above.

An obvious upside
to suites is that they offer the whole IAM pie to customers--suites are a one-stop shop for the four main functional areas of IAM. All of them offer user provisioning, while enterprise SSO is a component of some large suites, including those from BMC, CA, IBM, Novell and Oracle. Evidian, a specialist in SSO and federated identity management, has those functions as the centerpiece of its suite.

Andras Cser, Forrester senior analyst, says enterprises are looking to integrated product sets for interoperability and streamlined support; it's easier to get a technical fix with a suite than with individual products. Pricing is another motivator. "If you're trying to buy a lot of functionality and even if you don't need it, the chances of getting and buying functionality are cheaper," he says. And for the most part, suites have caught up with point products in functionality, Cser adds.

Aside from helping enterprises avoid the integration headaches associated with separate products, suites can allow companies to centralize access management functions. They have a single GUI or Web interface with dashboards for providing provisioning, managing roles and groups and for managing directory services.

Integrated suites also centralize directory management, making different directory services like Active Directory and LDAP play together. Many companies use a mix of systems--mainframes, Windows and Unix environments--that were cobbled together as they grew internally or through acquisitions. Rather than rip out all their perfectly operational identity plumbing like RACF, Active Directory or LDAP, most enterprises would rather work with their existing directories. They just want the ability to manage them all with a single tool. The need to work with different directory services, which can't be easily consolidated or replaced with a single directory service, is a fundamental issue for many large enterprises.

Another advantage with IAM suites is the ability to produce reports. Report- ing is at the heart of compliance with regulations like SOX, HIPAA and industry standards like the Payment Card Industry Data Security Standard (PCI DSS). Rather than relying on another product like Cognos or Actuate to crank out a report, a suite may be able to generate reports and store the data in a database for retrieval. An example is Oracle Access Manager, which leverages the company's database capabilities to store access information from different components of the suite. It has pre-built reports that can be used for compliance purposes to identify who has access to what systems. The report templates can also be used for incident management to record user access attempts or failed logins--a tell-tale sign of hacker mischief.

Reports may be Web-based or in hard copy for auditors and regulators, and they may also be integrated with security information management systems, as CA does with its suite.

Waiting Game
Network access control will have a critical role in the identity management mix, but integration may take a while.

It might seem that network access control (NAC) and identity and access management (IAM) suites are a perfect match. After all, both are about controlling access to systems. NAC checks and verifies endpoints before allowing them access to the network, while IAM checks users before allowing them access to the system. The marriage of hardware authentication and access control sounds ideal, but companies hoping for a quick union will have to wait a little while longer.

For sure, in the next few years NAC will have to become part of the standard feature set of IAM suites. As more companies have more laptop-clad and remote workers, NAC will become a necessity to defend the network from a loosening perimeter. That means NAC will have to become part of the IAM mix to bring those far-flung endpoints under control. When a company laptop is stolen from a coffee shop or hotel room, it's as much a NAC issue as an IAM issue to protect not only the data on the laptop, but to prevent the thief from using it to maliciously access the corporate network.

But NAC is farther behind in development than IAM. The products aren't as mature and the vendors haven't coalesced into cohesive suites, as they have with IAM. NAC also isn't as finely grained yet. It might be good for controlling access by contractors and partners but falls short on functions like the role-based access control required for hooking up with IAM.

Despite the obstacles, there are interesting developments percolating between IAM and NAC. Oracle's IAM suite, Oracle Identity Management (OIM), unifies access management across the network and application layers, providing fine-grained access control to applications based on network policies and connection and device type. Also, at Oracle OpenWorld in 2006, NAC provider Identity Engines showed a product that works with OIM. The Identity Engines Ignition Server was also showcased as meshing with Oracle Access Manager, Oracle Identity Manager, Oracle Internet Directory and Oracle Virtual Directory. Gartner has cited Oracle as the leader in NAC and IAM integration.

Another development, on a far smaller scale than the Oracle venture, is a hardware appliance from A10 Networks, IDsentrie. Though far from a full-blown IAM suite, IDsentrie takes care of both NAC and IAM functions by providing not only network authentication for remote and wireless devices, but also central account management, group management and access rights management. It also integrates with both Active Directory and LDAP, making it flexible for different architectures.


But suites don't
always deliver on their promise to be the panacea for all of an enterprise's IAM issues. First off, rolling out an entire IAM suite can be a time-consuming and costly venture for any company. Depending on the size of the organization, the costs could start in the hundreds of thousands of dollars and go up from there. For an enterprise with hundreds of offices and operations around the globe, deployment of a full suite is usually done in stages and can take a couple of years, and then only if everything goes smoothly. An enormous amount of planning goes into integrating an IAM suite with a company's architecture and existing directory services, including set up or migration of users, roles and groups to the new system.

Second, not every product set excels in everything. A product that is outstanding in provisioning may not be as good at reporting, for example, or its GUI or Web interface may be difficult to navigate.

The growing set of features in suites also makes buying decisions more difficult. The business requirements of most companies don't always match one-to-one with every feature. According to Forrester, this is further complicated by more stakeholders such as auditors and non-technical business people involved in the selection process and purchase of an identity solution

While suites generally offer broad functionality, they tend to lack two newer technologies: virtual directories and privileged account management. Virtual directories are servers that can access identity information in real time from multiple sources in a single view without storing identity data themselves. This allows multiple directories to be queried by accessing only the virtual directory, which, in turn, accesses the physical directories to answer the identity query. Virtual directories are used for SSO and federated identity management. Only Oracle, Sun and SAP have their own full virtual directory capabilities.

And privileged account management, which protects system administrator accounts, is in demand because of compliance concerns, but isn't fully represented by any of the major IAM suites.

What's Ahead
As the mix
of systems, portals and applications-- whether Web-based, client-server or mainframe-- becomes increasingly complex, the need for tighter access control will grow as companies work to meet compliance demands. This will require the type of fine-grained entitlement management not currently found in IAM suites. Entitlement management further restricts access to systems and applications beyond just the types of roles and groups in traditional access management systems. It can involve restricting access based on time of day, geographical location or even type of transaction.

Compliance requirements are also affecting the growth of the IAM suite in the area of multifactor authentication. An example is the directive in 2005 from the Federal Financial Institutions Examination Council (FFIEC) recommending two-factor authentication for Web-based banking. So not only do IAM suites have to handle standard user IDs and passwords, they're now expected to handle smart cards, one-time password (OTP) tokens and even biometrics.

This trend will grow as IAM suites will also have to bear the burden of the integration of logical and physical security, much of it underpinned by smart cards and other two-factor authentication devices.

The evolution of IAM suites is driven both by the natural trend of consolidation in all industries and market demand for compliance tools. Compliance doesn't equal security but, for better or worse, compliance is king, and IAM suites are just following the lead.

Article 9 of 14

Dig Deeper on Active Directory security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All