Archive for the ‘identity’ Category

« Older Entries

IBM's identity management becomes user-centric: HP's identity management exit strategy

Thursday, May 22nd, 2008
Courtesy of InternetNews on Tuesday I learned that IBM has added support for OpenID, Windows CardSpace and Eclipse’s Higgins Identity Framework to its Tivoli Federated Identity Manager (FIM) offering. As one of the enterprise identity management heavyweights, IBM’s announcement is an important endorsement of user-centric identity approaches. Such approaches are still in the formative phase of the adoption curve, particularly in the enterprise, so I see this is an investment for the future for IBM. IBM’s significant installed base should help to increase awareness, particularly for organisations supporting external user communities.

IBM’s press release provides more details on the user-centric credentials (no pun intended!) of FIM. It also discusses the product’s SOA Identity Service, which is designed to address some of the challenges associated with identity lifecycle management and audit where service-oriented approaches are applied to siloed applications with siloed security. These challenges are something I highlighted back in February 2006 and are a barrier to the realisation of the value of SOA as it moves out of project-level deployments. I see the SOA Identity Service as the more important aspect of this announcement, with SOA being a more pressing IT (and hopefully business) concern than user-centric identity.

As an aside, the InternetNews article mentions that the enterprise identity management market

is becoming increasingly competitive with offerings from HP, CA and Oracle.

Can’t fault the journalist on CA and Oracle … but HP! Earlier in the year the company announced that it was no longer going to be selling its Identity Center products to new customers: hardly a competitive force. As part of this (hopefully for its customers) graceful retreat from the market, HP announced that it has established an exclusive agreement with Novell whereby the two companies will

jointly offer migration services, HP will resell Novell identity and security management solutions and Novell will license HP Identity Center technology

When HP originally announced that it was exiting the market, it stated that it would continue to support and develop Identity Center for its existing customers so I was somewhat surprised to see it offering a migration programme. I wonder whether those customers didn’t see this as an effective way forward for what is critical infrastructure. Whilst the programme was a surprise, the partner wasn’t. Where else could HP have gone? BMC, CA or IBM: hardly, given the competition in the IT service/systems management markets (and numerous others in the case of IBM). Sun: difficult given competition in the hardware space. Oracle: would have made things difficult for HP’s SAP alliance team. Microsoft: lacks the heterogeneous environment support and breadth of functionality that HP’s customers need. So, whilst I am sure the sentiments behind Ben Horowitz’s (VP and GM, Business Technology Optimization, Software, HP) statement that HP chose Novell

because of its outstanding set of technologies, recognized market leadership and tremendous commitment to working with HP customers

are real, the company didn’t have too many others to chose from!

Posted in BMC, CA, CardSpace, Eclipse, HP, Higgins, Microsoft, Novell, Oracle, ibm, identity | 4 Comments »

Just like buses …

Wednesday, March 12th, 2008
… you’re waiting for an identity management acquisition and then along come three at once. This time it’s IBM which has acquired 40-person, privately-held Encentuate. If you think that Ecentuate’s size is indicative of gap-filling motivations from IBM then you’d be right. The 7-year old company is a specialist in enterprise single sign-on (ESSO), which until now has been provided through IBM’s OEM relationship with Passlogix. Clearly, owning rather than OEMing technology gives IBM greater control of its ESSO destiny – particularly as Encetuate is Java-based which should help with integration with the broader Tivoli identity management portfolio. In fact, during the announcement briefing the two companies explained how Tivoli Identity Manager is already able to manage Encentuate provisioning (although there are no production customer deployments). This is presumably the result of work that IBM Global Services did with Encentuate at the Singapore Government: the two companies weren’t technology partners.

Having said this is largely about filling gaps in the IBM identity management portfolio, Encentuate does bring more than ESSO to the IBM table. The company has done a good job of integrating with a variety of strong authentication solutions and has a rather nifty ability to take physical access tokens (door swipes and so forth) so that they can be used as second authentication factors. Encentuate also has some neat audit and compliance capabilities which IBM will undoubtedly tie into the Tivoli Compliance Insight Manager (based on the acquisition of Consul in late 2006). In addition to the technology upside, Encentuate could also help IBM in the healthcare market, where smaller players such as Imprivata and Sentillion have done quite well: there’s a good smattering of healthcare customers amongst Encentuate’s 80.

Overall a smart acquisition by IBM. I am not so sure whether IBM’s Tivoli Access Manager for Enterprise Single Sign-on customers will be quite so happy though. The company has committed to continued support but the next iteration of the product is going to shift from Passlogix to Encentuate. IBM will make it attractive for them to move but replacing identity and security solutions is, by definition, a risky business and I am sure they will have to carefully balance the risks of moving against those associated with sticking with a product which is not going to see further development.

Posted in ibm, identity | No Comments »

More acquisition activity in the identity space

Wednesday, March 12th, 2008
Hot on the heels of last week’s acquisition of Credentica by Microsoft, Ping Identity (who I covered here in an On The Radar report) announced yesterday that it has acquired the Sxip Access business unit from Sxip Identity.

Sxip was early to spot the potential opportunity in providing organisations with a simple, easy-to-deploy single sign-on (SSO) solution for software-as-a-service (SaaS). Sxip Access was its response to that opportunity, combining provisioning capabilities with some Sxip hosted services and an appliance. The company had also cultivated relationships with the likes of Salesforce.com and Google (for Google Apps).

The acquisition of Sxip Access is a smart move by Ping Identity. Although it can be used to provide SSO for SaaS, PingFederate (the company’s flagship multi-protocol federated identity offering) lacks some of the rapid implementation and deployment capabilities of Sxip Access. Part of the SaaS proposition is that organisations can get up-to-speed much more rapidly. Authentication and authorisation shouldn’t hold you back: something that Sxip Access should help to prevent. Back in September Ping began to actively target the SaaS opportunity, allowing providers to sell PingFederate-based SSO to their customers and share the revenue with Ping. Yesterdays announcement should accelerate this.

(As an aside, I do wonder whether we might see Ping’s SignOn.com user-centric identity offering heading in the other direction, given that Sxip is now fairly-and-squarely focused there).

Ping and Sxip, whilst they are comparatively small, punch above their weight when it comes to identity mindshare. I wonder whether this announcement might shake the much larger incumbent identity management vendors, none of whom have really articulated a credible SaaS proposition, into action. It should. SaaS buying decisions often bypass the IT organisation and the business buyers aren’t (and in fact shouldn’t be) interested in identity management: they want access. If a Salesforce.com recommends that the customer just needs to get their IT department to deploy this box and hook it up to the existing identity management solution so be it. Job done. With SaaS increasing in popularity, particularly in the SME segment where they have struggled to gain a foothold, the incumbents need a strong proposition or lose out to the likes of Ping.

Posted in Ping, SaaS, Salesforce, Sxip, google, identity | No Comments »

Experian partners with Microsoft to develop an identity selector proof of concept

Wednesday, December 19th, 2007
Perhaps it’s because we’re in the run up to the holiday season or because the press release came from the UK that accounts for the lack of commentary on the announcement that Experian has developed a CardSpace proof of concept with Microsoft. This is notable for a couple of reasons.

First it’s another of what is still a comparatively rare breed of “real-world” adoptions of CardSpace (Otto in Germany, which I commented on back in September, being another).

Second it sees Experian exploiting the wealth of information it has gathered about individuals, together with its relationships with commerce service providers due to its position as the largest credit checking agency in the UK (it claims to process over 70% of all UK credit applications), to position itself as an identity provider.

In a nutshell Experian plans to issue individuals with a ‘Experian Card’ information card. When the individual visits a CardSpace-enabled site, they will be able to present the ‘Experian Card’ when challenged to provide credentials and other identity-related data. CardSpace (and presumably non-Microsoft identity selector alternatives, such as the Bandit Project’s DigitalMe) would then send a request to Experian to validate the identity and return a signed token to be used by the site to determine whether the individual is who they claim to be.

Having a proof-of-concept is one thing but Experian is in a similar position to the first person to invest in a fax machine. They need others to participate if the technology isn’t to languish as just an interesting experiment. Experian, because it is already trusted by service providers, is well positioned to get the identity selector ball rolling and according to the press release is

already in discussion with a number of organisations

and

will be in a position to demonstrate it to organisations, with the ultimate intention of launching an Identity Management Service in the near future.

That’s only half the story though. The customers of those service providers also need to come on board. Whilst the wallet metaphor of CardSpace is intuitive, we have all grown too accustomed to the username/password/PIN/mother’s maiden name … approach to authentication and I am not convinced by Experian’s claims that

there will be enormous demand for such a service from … consumers

Rather, I think Experian is going to have to encourage service providers to actively promote the identity selector approach, not least because individuals (unless they are using Windows Vista) are going to have to install CardSpace or a non-Microsoft alternative.

I definitely don’t want to pour cold water on the announcement. It’s encouraging to see the adoption of “user-centric” (a term that I think is going to bandied about less in 2008) alternatives to traditional authentication mechanisms, given the enhanced usability and security, and I hope we do see a launch with a healthy group of service providers in the near future. Definitely something to watch.

Posted in Bandit, CardSpace, Experian, Microsoft, identity | No Comments »

Roles play a prominent role in identity management this week

Friday, November 16th, 2007
Back in September Oracle announced that it had acquired privately-held Enterprise Role Management (ERM) player Bridgestream continuing its “identity management-through-acquisition” strategy. With many eyes focused on the company’s Oracle Open World shindig this week, Sun also entered the fray with its plans to acquire another leader ERM independent: Vaau. Role-based access control (RBAC) is hardly new: the US’ National Institute of Standards and Technology (NIST) initiated standardisation efforts back in 2000 and an ANSI/INCITS standard (359-2004 if you’re that way inclined) was published in 2004. So why all this acquisition activity?

As with many things identity management, it’s primarily driven by compliance, with a small helping of increased operational efficiency and cost reduction. As well as promising to streamline the provisioning and de-provisioning of entitlements, roles can help organisations to define, enforce and demonstrate those entitlements to address regulatory compliance demands.
The realisation of that potential, however, has proved elusive. Organisations have struggled to identify (!) the roles that they need, and inconsistent management approaches have often resulted in an explosion of roles to the point where there are as many roles as users. The likes of Bridgestream, Eurekify and Vaau, whose offerings provide role discovery, analysis, allocation and provisioning, emerged specifically to address these challenges, creating the identity management sub-market of ERM along the way.

With compliance top-of-mind for many of their customers and prospects, the major identity management suite vendors who were unable to respond as rapidly as the nimble ERM start-ups quickly established partnerships and, in some cases, moved beyond the press release to actually provide pre-built integration. Sun, for example, provides bi-directional data integration with Vaau (which should help to speed up the integration process). With two of the leading ERM players now with competitors, this leaves the likes of CA and IBM in an interesting position. Their partnership teams no doubt have their eyes (and potentially their wallets) pointing in the direction of Israel, where Eurekify is based.

Some of you may wonder why I didn’t include Novell in this list. Had I been writing this post straight after the Sun announcement it would have been. But not long after the announcement I came across this post from an identity management group blog at Novell, which discusses how the company has been building its own role management capabilities, focused on role provisioning, exploiting its directory heritage (discussed in more detail in our assessment here) and partnership with Eurekify for role discovery and analysis. The post’s author claims no knowledge of acquisition talks. Then lo and behold, and far be it from me to suggest that Sun’s announcement had anything to do with the timing, the next day Novell announced its new Roles Based Provisioning Module.

Of course, a Eurekify acquisition by Novell could still be on the cards, despite the blogger’s ignorance of any such discussions, but it seems to me based on Novell’s stated strategy that the Israeli company is more likely to end up in the arms of CA or IBM.

The implications for customers are varied. Bridgestream and Vaau customers, who have plumped for a vendor other than Oracle or Sun, should be a little nervous and seeking concrete assurances regarding ongoing support. Customers of the likes of CA, IBM and Novell who are considering ERM will have to think very carefully before plumping for Bridgestream or Vaau for similar reasons.

Posted in 22640241, Bridgestream, Eurekify, Novell, Oracle, RBAC, Sun, identity | No Comments »

New On The Radar report: Arcot Systems

Monday, October 8th, 2007

Those of you with an interest in authentication, online payment and digital document signing solutions might want to take a look at our latest On The Radar report, which focuses on Arcot Systems.

Arcot is a 120-person company headquartered in California with a suite of four software-only authentication solutions, which should be of interest if you are required to provide large numbers of customers or business partners with strong authentication capabilities, especially if you are also providing commerce services. They should also be relevant if you are operating in a heavily regulated, document-centric environment.

Posted in Arcot, MWD, identity | No Comments »

Has CardSpace become Passport?

Friday, September 28th, 2007
Ben Laurie of The Bunker Secure Hosting has a provocative post about the two emerging (and that’s important) leaders in user-centric identity: OpenID and CardSpace. He quite rightly points out that at present OpenID’s:

popularity is entirely on the provider side. There are no consumers of note.

and that CardSpace:

appears to live in its own little world, supported only by Microsoft products

I think this is to be expected given that we are still in the early stages of both.

Where I find myself disagreeing with Ben, however, is with his conclusion about CardSpace:

So why does this make Cardspace like Passport? Well, the fear with Passport was that Microsoft would control all your identity. The end result was that Microsoft was the only serious consumer of Passport. When Cardspace is deployed such that all providers and consumers of identity are really the same entity, then all its alleged privacy advantages evaporate. As I have pointed out many times before, when consumers and providers collude, nothing is secret in Cardspace (and all other standard signature-based schemes). So, there’s no practical difference between Cardspace and Passport right now.

Ben’s right about the implications for privacy when the those consuming identity information collude with those providing it but that’s not an issue peculiar to CardSpace.

Even Microsoft would (and indeed does) agree that Passport was a failure due to the company’s control of identity data, I think Ben doesn’t tell the whole story. It wasn’t just down to control of an individual’s identity data. It was also due to the fact that Passport and Hailstorm were designed from the outset to wrest control of identity data from Microsoft’s business partners and customers. The same can not be said of CardSpace and that’s why I believe there is a difference between CardSpace and Passport. There are already examples, Otto in Germany springs to mind, of organisations other than Microsoft using CardSpace and, as I said, it’s still early days.

Posted in CardSpace, Microsoft, OpenID, identity | No Comments »

Shock, horror: Microsoft and Concordia

Thursday, June 7th, 2007
Microsoft agrees to participate in ID projectFor the first time representatives of Liberty Alliance and Microsoft are going to sit down togetherMicrosoft is to meet this month with vendors and organisations that are backing several different identity management systems. The Microsoft meeting suggests that cooperation between the software giant and its peers is improving.

These are just a few examples of press excitement resulting from the formal announcement of the Liberty Alliance’s Concordia project and the news that Burton Group’s Catalyst 2007 conference will host a panel discussion between representatives from Liberty, Microsoft and OpenID about identity interoperability. Perhaps it’s because I have been following identity so closely over the last few years but I can’t say that this really justifies the implication of the headlines that this represents a significant change of heart for Microsoft. Microsoft has been an active participant (and arguably leading) the charge towards interoperable identity solutions for a number of years.

Far more interesting, as far as I am concerned, is what the panel will be discussing. Concordia is initially focusing on gathering real-world use cases some of which will be presented to the panel. With effective identity management so critical to many of the strategic challenges and opportunities that organisations are faced with today, it’s time to move away from “vendor sports” and address the needs of those organisations.

Posted in Liberty, Microsoft, OpenID, identity, interoperability | No Comments »

Realising the identity metasystem

Monday, May 28th, 2007

It’s perhaps unsurprising, given all the brouhaha surrounding Microsoft’s claims that open source software infringes on 235 of its patents (which incidentally I take to be largely ’sabre rattling’ from Redmond in the face of the implications of the GPLv3 for its deal with Novell, as discussed in the Risk Factors of the latter’s recent 10-K filing), that some recent news regarding the Redmond company’s very positive collaboration with the open source community has not received the attention it deserves.

The news in question concerns a series of announcements the company made at last week’s Interop conference in Las Vegas. These announcements, as the title of the post suggest, all revolve around Microsoft’s vision for an Internet-scale, interoperable identity metasystem and range from additions to the Open Specification Promise (OSP) through to support for OpenLDAP with Microsoft’s Identity Lifecycle Manager.

So, what did they announce? First, Microsoft is

making the Identity Selector Interoperability Profile available under the OSP to enhance interoperability in the identity metasystem for client computers using any platform. An individual open source software developer or a commercial software developer can build its identity selector software and pay no licensing fees to Microsoft, nor will it need to worry about future patent concerns related to the covered specifications for that technology

In other words, third parties are free to build the equivalent of Microsoft’s CardSpace, following the likes of the Higgins project, Ian Brown’s Apple Safari Plug-In and Chuck Mortimore’s Firefox Identity Selector. This is important not only because it extends the reach of CardSpace-like capabilities beyond Windows but also because it facilitates the consistent user experience (I know because I have used CardSpace, the Safari Plug-In and the Firefox Identity Selector) which helps to reduce errors and misunderstanding by users.

Second, Microsoft

is starting four open source projects that will help Web developers support information cards, the primary mechanism for representing user identities in the identity metasystem. These projects will implement software for specifying the Web site’s security policy and accepting information cards in Java for Sun Java System Web Servers or Apache Tomcat or IBM’s WebSphere Application Server, Ruby on Rails, and PHP for the Apache Web server. An additional project will implement a C Library that may be used generically for any Web site or service. These implementations will complement the existing ability to support information cards on the Microsoft® Windows® platform using the Microsoft Visual Studio® development environment.

Or, to put it another way, doing for back end servers what the first announcement is doing for the front-end: enabling web sites and enterprises running a wide variety of web server infrastructure to support authentication using CardSpace and the other identity selectors.

The cyncical amongst you might be forgiven for thinking that these two announcements are just Microsoft paying lip service to interoperability. This post should help to allay your concerns: at the Internet Identity Workshop earlier in May the Open Source Identity Selector (OSIS) group demonstrated interoperability amongst 5 identity selectors, 11 relying parties (the party relying on authentication to prove an identity), 7 identity providers (the party asserting the identity), 4 types of identity token (the mechanism for conveying the identity assertion), and 2 authentication mechanisms. Also, on the same day as the Microsoft press release, Internet2 announced plans to extend Shibboleth, a federated web single sign-on solution based on SAML that is widely used amongst educational institutions, to support CardSpace and compatible identity selectors.

The third piece of news from Redmond last week, concerned the new Identity Lifecycle Manager product and is thus primarily focussed behind the firewall. Microsoft is going to be working with KERNEL Networks and Oxford Computer Group to enable bi-directional synchronisation of identity data between OpenLDAP, an open source implementation of the ubiquitous directory standard, and Microsoft’s Active Directory. Identity Lifecycle Manager already supports a wide range of the commonly-deployed identity data repositories so I think this move is primarily in the “playing well with open source” category – but valuable nonetheless.

These announcements are further evidence that the likes of Kim Cameron, Microsoft’s chief identity architect, and Mike Jones, the company’s Director of Identity Partnerships, have been working hard to foster the relationships and commitment (both from Microsoft and third parties) required to help make the identity metasystem a reality. That reality is too important for the results of those efforts to be diluted by political shenanigans around patents and GPLv3.

Posted in CardSpace, Higgins, Microsoft, SAML, Shibboleth, identity | 2 Comments »

SAP plugs a significant gap – acquires MaXware

Monday, May 14th, 2007
Well, better late than never. SAP today announced the acquisition of privately-held MaXware, a supplier of identity management infrastructure. Back in June 2005, I discussed SAP Venture’s (its VC arm) investment in another identity management specialist: Ping Identity and at the beginning of 2006 predicted that SAP would enter the identity management acquisition fray. My timing was off but SAP has finally done it. In light of the investment in Ping Identity I was somewhat surprised by the choice of MaXware rather than Ping Identity but I think geography may have had a part to play. It is going to be easier for SAP to integrate a Norwegian company than one based in the US.

MaXware is hardly a new entrant in the market: the company has been around for over 15 years, initially providing virtual directory solutions. The company has subsequently built on that foundation to add identity lifecycle management, provisioning and federated web single sign-on. As a result MaXware provides SAP with a pretty comprehensive set of capabilities to bulk up its NetWeaver and broader application proposition, particularly when it comes to competing with arch-rival Oracle which has done a good job with acquiring and subsequently integrating identity management capabilities as part of Fusion Middleware.

SAP still has some way to go, obviously, when it comes to actually delivering an integrated proposition. The fact that both companies are European should help. However, I note that SAP does not appear on the list of MaXware partners and the press release doesn’t mention “building on the existing strong partnership” or “exploiting existing integration between the companies’ solutions” (or other such press release-ese) so its difficult to gauge the extent of the technology integration work ahead. Customers and potential customers should look for detailed integration roadmaps.

Posted in MaXware, Oracle, Ping, SAP, identity | No Comments »

« Older Entries