Burton Group Identity Blog

Blogger: Mark Diodati

I’ve been working with smart cards for a most of a decade, and there is a relatively new spin on the technology that merits discussion – the personal portable security device (PPSD).  It combines the USB smart card form factor and USB flash memory on a single platform.  Unlike older USB devices that had both components but functioned in a standalone manner, the smart card controls access to the flash memory.  The combination is of interest to enterprises, and the payment and mobile communication industries.  Vendors that offer PPSDs include Gemalto (Secure Enterprise Guardian) and MXI Security (Stealth MXP).  I tested Gemalto’s Secure Enterprise Guardian product.

The combination overcomes the major problems of each technology.  For smart cards, it’s limited storage.  Smart cards on their own can store a maximum of 256kb of data.  USB flash drives can hold up to 8 GB (though the Secure Enterprise Guardian’s current storage capability is considerably smaller at 2GB).  The issue with flash memory is security, which is lacking relative to the smart card.  The smart card will lock itself after a specific number of invalid PIN attempts.  No diagnostic utility can bypass the PIN mechanism, and the smart card chip is physically tamper-resistant, more so than any other authenticator.  It’s a great way to provide device-level file encryption, because card component generates and stores the symmetric encryption key.  The encryption key never leaves the device.  No PIN, no symmetric key, no access to the encrypted files.  The PPSD typically has a public area which functions like a traditional USB drive, so you can share files with other people without authenticating.

The PPSD also supports traditional smart card/certificate functionality, so it supports Windows workstation logon, WiFi authentication, mutually authenticated SSL, S/MIME, and digital signatures.  The Gemalto PPSD also has a PKCS #11 interface that provides certificate functions for non-Microsoft applications (Firefox and some VPNs), as well as other operating systems (Linux and Mac OS).  Both the Gemalto and MXI Security PPSDs work with USB port control products, like Lumension’s Sanctuary Device Control.  One inherent limitation exists with PPSDs.  They don’t support physical-logical convergence initiatives, which almost always require the ISO 7816 (credit card sized) form factor. 

The Gemalto and MXI Security PPSDs also support one-time password (OTP) generation (the PPSD does not have a LCD, so the workstation is required to view the OTP).  Gemalto’s OTP generation is OATH-based and the MXI Security's OTP generation is RSA SecurID compatible (which provides broader platform support). The combination of OTP and certificate capability provides the broadest application support for a stronger authenticator.  The MXP Stealth product also provides biometric authentication.

The Secure Enterprise Guardian was immediately recognized by my Windows XP machine.  The device supports the CCID USB smart card specification, so the installation of the CCID driver was automatic via Windows Update.  Gemalto has worked with Microsoft since the release of Windows 2000 to embed its Cryptographic Service Providers (CSP), so they are present in the operating system.  A couple of mouse clicks and I was up and running.  Net result: this is the closest to a zero software deployment model for smart cards I’ve experienced.  When installing the Secure Enterprise Guardian, I was running with administrative privilege when doing the installation, and installation results on a typical enterprise workstation may vary.  Windows Vista deployments are simpler as the CCID driver is already present.

The device becomes a mobile, secure storage container for both applications and sensitive data.  There’s some intriguing functionality that I have not tested yet.  I’m interested to see how PPSDs work with workstation virtualization products (e.g., VMWare ACE or MojoPac).   
Some use cases include:

• “Secure” browser (e.g., limited functionality and trusted root list) with mutually authenticated SSL.  This combination is already productized by MXI for consumer authentication usage.  It should be noted that hardware-based authentication is not currently acceptable to U.S. financial institutions and their retail banking consumers.

• Storage of confidential data, along with the application necessary to access it.

• Microsoft PowerPoint presentations, along with the PowerPoint software.

• S/MIME with Outlook Express or Mozilla Thunderbird and the certificates stored on the smart card.

• Enterprise SSO application and associated SSO credentials

I’m not glossing over the complexity of smart card and file encryption across the enterprise.  The authenticator is part of a larger orchestration of smart card management systems, PKI, and key management.  Additionally, organizations should consider USB data port security white lists to limit the devices that can be installed on workstations.  But so much of stronger authentication is about user acceptance.  The PPSD provides the USB mobile storage form factor that users need, so its authentication and data protection capabilities make it a useful Swiss Army Knife.

Blogger: Kevin Kampman

In my March 10, 2008 blog entry “Short and to the point, if not so sweet” regarding the electronic capture and publication of medical records, I discussed how we frequently mask or defer basic issues by focusing our attention on something else. As Dr. Molly Coye stated in USA Today regarding the potential misuse of medical records: “But those are human actions. They have nothing to do with the technology.” This perspective underscores our fundamental tendency to gloss over technological issues by blaming mistakes on the people using the technology. I believe it is important to recognize this and to address the basic issues.

Sometimes we need to get some distance from an issue in order to see it clearly. Last week I attended a motivational seminar given by Curtis Zimmerman. Mr. Zimmerman is a talented speaker with a compelling message about overcoming adversity and changing the direction of one’s life, individually and as a leader. He teaches juggling as a way to force the audience to drop its barriers to listening and learning. The key takeaways from his presentation are that we need to change our perspectives to recognize and reward failures, not to hide them. He also identifies that we are living a script, someone else’s or our own, and that we need to rewrite the script in order to “live the dream” in our own lives. 

Earlier in April, we heard about a US Airways pilot discharging his gun in the cockpit while stowing it for landing. This was an unfortunate incident, but one to learn from. In a conversation with another (off-duty) pilot on a flight to North Carolina, we determined that this situation demonstrates that current on-aircraft gun handling policies and weapon configurations are accidents waiting to happen.

The guns carried by pilots are the same as those used by law enforcement. The guns have no positive locking safety switch, a round is chambered (by policy), and the gun is out and ready to use while the craft is in the air. Given the backup and failsafe environment that a cockpit represents, it is amazing that a device configured in this manner has been introduced without appropriate, common-sense precautions. This is one reason we often read about law enforcement officers having self-inflicted accidents. Fortunately, in this case no one was injured, but the pilot did lose his job.

The bottom line here is that US Airways did not reward him for demonstrating a failure in the system and take appropriate actions to prevent similar failures in the future. The result is that we will continue playing out this flawed script. Next time, someone may get hurt.

A notorious, identity-related failure has to do with the performer and musician Britney Spears. While undergoing medical treatment, her medical records were voluntarily accessed by professional and medical staff having no reasonable association with her care. This demonstrates that the medical records system in use by her provider has inadequate controls. The resolution to this situation is that a number of non-physicians were fired, while the physicians were only “disciplined”.

The bottom line here is that we have different scripts for different people. In a medical community, the physicians are in control, and are in a position to continue to violate patient privacy at will, until fundamental changes are introduced into the records systems.

And late last week, we heard of yet another records disclosure failure. WellPoint, a health care benefits firm, exposed nearly 130,000 personal medical records (records, mind you, not attributes like social security numbers) by using a third-party’s improperly secured web servers. This is the first occurrence of a records disclosure of this magnitude, and is the harbinger of what is likely to come.

The risk of disclosure, misappropriation and misuse of our medical records is higher today than ever, and the burden of dealing with the situation is being pushed off to us. The risk of aggregation aggravates the problem even more, since companies who want to collect this information, like Microsoft and Google, will become targets of compromise. Whatever mechanisms they employ to protect this information must be professionally vetted by independent experts prior to any public deployments. Since there is no medical equivalent in this country to the credit reporting bureaus, we have even fewer means to protect ourselves than we do in the case of financial compromises. This being the case, we can’t afford to make mistakes. 

The final “bottom line” is that anyone dealing with private information needs to recognize that it can cause irreparable harm if it is not handled in an appropriate manner. We have already heard of situations where a person’s medical identity has been hijacked to obtain services for someone else, and run up payments to the benefits limit. Medical conditions could also be used as a gating factor for denial of employment. My family learned of my father’s impending demise due to the disclosure of diagnostic information by an indiscreet radiology technician.

We can’t continue with the same old same old; it’s clearly inadequate, as are regulations regarding disclosure of compromises (such as California’s SB 1386). We need to examine, reward and learn from these organizational and systemic failures, or else the script of records disclosures, potentially on the order of millions of records, will continue.

Blogger: Lori Rowland

Using the 2008 RSA conference as its platform, Hitachi announced the acquisition of majority shares in M-Tech. The new formed company will operate under the name Hitachi ID Systems and be rolled into Hitachi’s information security portfolio. Hitachi ID Systems will operate as a subsidiary of the Hitachi parent company.

M-Tech, headquarter in Calgary, Alberta Canada has been a long standing vendor in the IdM market. The company’s product profile includes provisioning, password management, privileged account user, AD group management, and various other IdM technologies. M-Tech is best known for P-Synch, its password management offering, but has also faired well in the provisioning market.

While Hitachi is well known in North America, it is a powerhouse in Asian markets. Hitachi sells various consumer products (e.g. electronics and power tools), but also offers hardware and software components for enterprise organizations. Hitachi has a heavy presence within Asian enterprise organizations. The Asian market has been slower to adopt IdM technologies, however it is gaining traction primarily because of the enactment of laws and regulations, such as Japan’s Financial Instruments and Exchange Law (J-SOX). Hitachi ID Systems may have “a foot in the door” with Hitachi’s existing customer base.

Another interesting characteristic of the acquisition is that Hitachi ID Systems will operate as a subsidiary. According to M-Tech founders Gideon Shoham, CEO and Idan Shoham, CTO, M-Tech had been approached by other vendors in the market and had turned down acquisition offers. What made the Hitachi offer stand out? As a subsidiary, M-Tech founders will maintain control over technology direction and day-to-day operations, the M-Tech employee base will remain intact, and the impact on M-Tech’s existing customers will be minimal.

M-Tech realized several other benefits to the acquisition. As the IdM market has become increasingly competitive it was difficult for M-Tech to compete against large, major brand vendors. The acquisition gives M-Tech (now Hitachi ID Systems) access to a global sales team and a large information security consulting team which will be trained on the Hitachi ID Systems product family. Most importantly it gives M-Tech global name recognition.

The attitude of this acquisition seems somewhat different than acquisitions we have seen in the past. While the benefits of the acquisition to M-Tech are obvious, Hitachi’s (the parent company) overall vision for the IdM it is not yet clear. The company does offer various security technologies such as RFID and vein pattern recognition biometrics. However, how and if these technologies will be integrated with M-Tech’s product family has not yet been defined.

Hitachi’s acquisition of M-Tech will no doubt leave some in the market scratching their heads in wonderment.  It is too early to tell the full impact of the acquisition. However, one thing is clear, M-Tech needed the backing and sales channel of a larger vendor to progress in the market. However the battle is yet to be won. This is an unpredictable market; customers are concerned with vendor viability and longevity. The long-term relationship between vendor and customer has become a differentiating factor for many IdM purchases. To be successful, Hitachi ID Systems must quickly communicate a clear vision and an aggressive strategy. Although Hitachi is a recognized name – they are competing with large vendors such as IBM, Oracle, and Microsoft all of whom have already established themselves as powerhouses in the IdM market.

This acquisition proves that the IdM market is full of surprises – never a dull moment. There is still ample opportunity for acquisitions. Acquisition activity will likely continue in the role management, entitlement management, and authorization spaces.  However, even the more mature markets like the provisioning market may see continued activity – as evident by the M-Tech acquisition.

Blogger: Mark Diodati

Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contactless payment systems (including tollway and public transportation systems).  By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards.  Karsten Nohl and his team completed the hack, and the team was able to clone a MIFARE Classic card in less than two minutes (the “skimming” or reading of the card takes less than a few seconds).  Perhaps not co-incidentally, NXP (the owners of the MIFARE intellectual property) announced on March 10 that they have a new-and-improved MIFARE card that leverages AES 128-bit encryption.  The first samples will be available in Q4 of 2008.  The refreshment of hundreds of millions of cards will be completed at a much later date.

You may be aware of the MIFARE vs. HID Prox card religious war in the PACS space.  From my experience talking with customers, there are more HID Prox cards used in PACS in the United States as compared to the MIFARE card.  The MIFARE proponents consistently tout the security value of MIFARE technology over HID Prox technology, and have pointed to the fact that HID Prox cards could be readily cloned.  You can see a video of the HID Prox card clone, from the 2007 RSA Conference here.  The conventional wisdom was that the MIFARE card was unclonable.  The conventional wisdom was wrong.

The impact of the MIFARE hack for those reliant payment systems (and its consumers) is increased fraud.  The cloning of the card does not require possession, only proximity.  I am unaware of any preventative measures that would preclude a fraudster from walking around a parking garage and cloning those tollway cards that are mounted in everyone’s windshield.  Some people might consider this an act of civil disobedience, particularly if they drive on the Illinois Tollway with any frequency (as Triumph the Insult Comic Dog would say “I keed!”).  Also, skimming and cloning the user’s public transportation card while they ride the train is a likely outcome.  If you are aware of any preventative measures, please let me know.

What is the impact to PACS security?  The reality is that many PACS deployments did not leverage the MIFARE encryption features.  The management of symmetric keys across the relatively complex PACS environment (specifically, cards, readers, controllers, and hosts) remains a daunting process.  For these deployments without encryption, it’s business as usual.  Those organizations that deployed the MIFARE technology with encryption should realize that they are not as secure as they thought.  Either way, as we have said before, no authentication method is bulletproof.  Organizations should be using other controls – like auditing and security event correlation – to enhance the security of their PACS. 

Finally, when will people learn their lesson?  Cryptographic algorithms should be public so that they can be scrutinized and tested.  Secret algorithms aren’t more valuable because they are secret.  Bruce Schneier has been saying this for years.

If you are interested more details on PACS architecture and components, I recommend my recent Burton Group research document “Let’s Get Logical: The Convergence of Physical Access Control and Identity Systems” (subscription required).

Blogger: Phil Schacter

Today’s announcement of IBM’s acquisition of Encentuate, primarily positioned as a supplier of enterprise SSO technology, is a significant milestone in the maturing of the market for E-SSO. Two years ago E-SSO was viewed as a standalone product that was somewhat complementary to the deployment of stronger authentication and a convenient way to support legacy applications with internal logic that prompted for login credentials, typically a user id and a simple password.

Most identity and access management vendors were content to license or resell technology obtained from smaller specialist firms. IBM, Oracle and Sun partnered with Passlogix, while Novell works with ActivIdentity and Quest with Evidian. CA has its own E-SSO offering stemming from an earlier acquisition of Platinum/Memco.

However, the identity and access management vendors discovered that E-SSO was both a market accelerator and offered some important features of interest to customers with regulatory compliance requirements. E-SSO has a shorter sales cycle (typically six months or less) and is able to deploy more rapidly (one to three months depending on the complexity of the environment). Cost for E-SSO varies but many deals are less than $100K, which is easier on the IT budget than most user provisioning software and service projects. Customers could start with E-SSO and then over time add user provisioning, web SSO, federated SSO, and other components of the identity management suites. E-SSO technology also can provide an audit trail of user sessions and any interactions with applications accessed through the E-SSO system.

So who wins in the IBM deal to acquire Encentuate? First, it’s a big win for Encentuate’s 80 plus customers that can look forward to continued support and a more aggressive product roadmap funded by a premier vendor. Although no financial numbers were shared the deal provides an exit strategy for investors that poured about $24M into Encentuate over the years. The 160 plus customers of IBM’s TAM ESSO v6 will have support from IBM for three years from v6’s general availability date of February 2007. They also will have to choose between continuing to use ESSO v6, and transitioning to become a direct Passlogix customer, or migrating to IBM’s new v7 offering, based on the technology acquired from Encentuate. TAM ESSO v7 is expected to be available in Q3 2008 and will include planned enhancements to Encentuate’s product plus address IBM’s integration requirements.

IBM also plans to build on the engineering talent obtained as a part of this acquisition to build out a Security Software Lab in Singapore for more than just the E-SSO and former Encentuate product lines. This area offers high quality engineering talent and a more efficient operational infrastructure and cost than labs based in some other regions. Another key reason for IBM’s shift to a new technology provider is that Encentuate builds on a J2EE foundation, as do most other Tivoli product offerings.

Another interesting question is what is the impact of the IBM deal on their former partner, Passlogix? Clearly IBM will try hard to convince existing customers that they should migrate to TAM ESSO v7, but any migration is hard and it’s not clear who will fund the professional service cost of doing so. Passlogix expects to derive significant ongoing maintenance revenue from a portion of IBM’s 160 customers, and that this revenue stream will more than offset any lost OEM royalties. There is also the question of what happens to the healthy pipeline for ESSO v6 and whether Passlogix can convert any of these prospects into direct customers. Overall Passlogix is prospering in a strong market for E-SSO and related offerings, and indicates that no one source contributes more than a sixth of overall business revenue.

One final observation about the impact of this deal is that it’s likely to start one final wave of consolidation, with Oracle and Sun considering the business risk of the other acquiring Passlogix first. Another acquisition that should probably happen is for Novell to buy ActivIdentity. Novell already provides the channel for 80% of ActivIdentity’s business, so why not bring this important function inhouse?   

Bloggers: Gerry Gebel and Bob Blakley

Today, Ping Identity announced it is acquiring Sxip Access, the portion of Sxip Identity that provided identity management for software-as-a-service applications. Sxip Identity will still exist and focus its energies on Sxipper and other Identity 2.0/Web 2.0 technologies.

This appears to be a good strategy for both parties. Sxip is free to focus solely on the realm of user centric identity technology and approaches. Ping is able to immediately add support for SaaS applications to its federation portfolio, bolstering is ability to address the growing needs of organizations with distributed applications and a dispersed workforce.

Of course, adoption of SaaS applications is on a strong growth trend across the industry so there are many vendors seeking to enter this market and provide potential solutions. For example, TriCipher just announced their myOneLogin hosted authentication service that supports SAML and a number of other authentication mechanisms, Conformity is developing security, audit, and identity solutions for SaaS applications, and Symplified is working on identity on demand offerings for SaaS (Symplified and Conformity offerings are at the beta testing stage). It turns out, of course, that federation protocols don’t address some single sign-on scenarios if your workforce doesn’t adhere to the preferred confines of the SAML protocol. While technically feasible, it is can be difficult, in reality, to accommodate workforce members authenticating from on premises, from partner locations, or while traveling.

It appears also, that SaaS vendors have gotten more serious about authentication security as a result of recent published attacks against SalesForce.com. In summary, the acquisition, recent product offerings, and multiple startups suggest a segmentation for SaaS applications. First, there is a server side SaaS federation market and second, a client side consumer authentication as a service market. Both segments are good developments and necessary for the industry. Indeed, both segments are likely to grow over time.

Blogger: Kevin Kampman

In the Friday, February 29, 2008 USA Today article “Prognosis is bright for Google’s health records plan” identifying Google’s intent to build an online medical records database, some controversy about the privacy and potential misuse of patient records was cited. In particular, the potential for misuse of these records for background or hiring purposes was identified. The statement “But those are human actions. They have nothing to do with the technology.” was attributed to Dr. Molly Coye, Google advisor and CEO of non-profit HealthTech.

This is similar to, if not the same perspective as “Guns don’t kill, people do”. Thankfully, there is plenty of gun safety education, regulation and control as to who shouldn’t or should have weapons. Even so, madmen and crazies kill. People still suffer and die, and their families and society pay. Manufacturers and retailers profit.

With health records available in a readily accessible format and medium, the opportunity for compromise is not just a people problem. If a prospective employer or business entity wants to vet your records, you may be denied employment or access to some service just by refusing to grant them access. The collection and analysis of health information is big business, and access to the statistics may be just as detrimental as access to your records alone. This situation must be balanced by industry accountability and regulation, as well as explicit liabilities borne by those who misappropriate or use the information for illegitimate purposes. As recent financial compromises have shown, there is also a serious risk of insider misuse of private information.

You might think this comparison is off the mark, but the privacy and control of health care records is a critical issue, and turning over control of personal information to a profit-seeking entity without significant, if not bulletproof, individual protections must not be taken lightly. Wasn’t HIPAA supposed to accomplish this? I think it’s time for a real sanity check of what we are considering here. Before the bullet leaves the barrel…

Blogger: Mark Diodati

Today, Microsoft announced its acquisition of Credentica, a consumer authentication technology company.  Like Arcot and TriCipher, its executive team holds patents on some interesting cryptographic techniques, which are embedded in the company’s U-Prove technology.  The technology relies heavily upon PKI.  If you are interested in the protocols, you can retrieve the “U-Prove SDK Overview” and a corresponding Power Point presentation here.

I have yet to speak to Microsoft and Credentica (this is likely to happen in the next few days), and my understanding will likely change once that happens.  Within the U-Prove environment, there are three parties: the issuer (AKA credential or identity provider), the user, and the verifier (AKA the service provider).  After a user successful authentication, the issuer provides the user with a credential – the ID Token.  The ID Token can be short- or long- lived.  The ID Token is signed by the issuer (similar to an X.509 certificate), and the user subsequently presents ID Token to the Verifier. 

The user authenticates to the verifier when presenting the ID Token by sending along a nonce (that is, a random number) that is encrypted with the user’s private key.  The verifier can validate that the ID Token originated from the user in possession of the private key (yes, Virginia, the U-Prove technology appears to require that the user possess a private key). 

One important distinction exists when compared to X.509 authentication.  Before presenting the ID Token, the user can control which attributes in the ID Token are revealed to the verifier, which provides some privacy controls. 

The technology also appears to provide man-in-the-middle mitigation, digital signature capabilities, and supports stronger authentication (e.g., a smart card) by the user to the issuer.

The U-Prove protocol also appears to work nicely with SAML, while providing the user control over information presented to the verifier (AKA service provider).  The issuer (AKA identity provider) provides the ID Token credential to the user.  The ID Token contains user attributes, which are signed by the issuer.  The user has control over which attributes are disclosed to the verifier because the user builds the SAML assertion from the desired attributes.  The user signs the assertion, and then presents it to the verifier.

Why did Microsoft acquire Credentica?  The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace managed cards (i.e., those cards issued by an identity provider) that is consistent with Kim’s Laws of Identity .  The authentication mechanism we’re talking about is between the identity provider (AKA issuer in Credentica-speak) and the user, not the user and the service provider (AKA verifier in Credentica-speak).  My colleague Bob Blakley is our resident CardSpace expert; I learned most of what I know about the technology from him.  If you are a Burton Group IdPS customer and are interested in CardSpace, his recent document “The Information Card Landscape” is a good read.
 
The aforementioned Credentica white paper (published in April of 2007) provides references these benefits.

“ID Tokens are the only practical technology by means of which the Windows CardSpace identity selector can fully comply with the “laws of identity” defined by its chief architect, Kim Cameron. Cameron has confirmed that standard digital certificates break the fourth law of identity In addition, the second and third laws of identity cannot be fully met using standard certificate technology.”

It appears that the Credentica technology is more protocol than product, which is beneficial to Microsoft.  Microsoft will have fewer pre-acquisition customers to support.  Also, Microsoft should have an easier time integrating the U-Prove technology into CardSpace.  Microsoft appears to have at least one integration challenge because the U-Prove SDK appears to be Java-based, and requires the Java runtime environment on the user’s client.

Bloggers: Bob Blakley, Lori Rowland, Gerry Gebel

Burton Group frequently discusses the fiercely competitive nature of the identity management (IdM) market. This continues to be a consolidating market characterized by numerous mergers, acquisitions and vendor exits.

Burton Group has specifically commented on HP’s struggle to succeed in this competitive market. Burton Group’s Identity and Privacy Strategies Report, “The Identity Management Market 2007: An Expanding Universe”, Our Catalyst 2007 Keynote “Identity Management Market Landscape 2007: Enabling Security and Control Objectives in the Enterprise”, and our “Vantage Point 2007: Trends in Identity Management” telebriefing, all noted that HP’s ability to compete, mindshare, and market momentum has been in sharp decline.

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product.  We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change. Last week Burton Group spoke to HP Software Vice President of Products Eric Vishria regarding this development. 

Vishria explained that the Identity Center product line was not performing in this highly competitive market at a level that’s acceptable to HP, but added that the product supports the operations of a number of HP’s critical customers.  HP has therefore made the decision to focus research and development efforts on existing customers only.

The company does have a respectable number of existing customers. HP is in the process of reaching out to these customers to assist them with their identity management needs going forward. HP also feels that Identity Center represents an excellent set of technologies. For these reasons, HP has decided not to declare end-of-life for the product.  This means that HP will continue to provide technical support to existing customers and will maintain a development staff to make product enhancements based on needs of existing customers.  Vishria did not specify how long this technical support and product enhancement will continue. However, he did acknowledge that HP had considered options including end-of-life for Identity Center, and had consciously decided against declaring end-of-life so as to extend support and development beyond the two years typically allotted for an end-of-life product.

HP’s decision is clearly a blow to the company’s current IdM customers and to anyone who was considering purchasing their products. HP’s commitment to current customers is commendable; this commitment obviously cannot be open-ended, so now is the time for current HP customers to start planning.

In view of HP’s decision, Burton Group has recommendations for existing HP customers, non-HP customers, and other vendors competing in this market.

First and foremost, current HP customers should not panic. HP has no intention of abandoning its existing Identity Management customers.  Your first step should be to contact HP for clarification of the situation; HP is in the process of reaching out to all of its Identity Center customers, and you are undoubtedly already on their radar.  Existing customers will, however, need to decide going forward whether they will stick with their investments or consider moving to another product. Even if the decision is to move to another product, HP’s strategy and commitment allows customers to exit in an orderly and timely fashion.

After not panicking, existing customers must think strategically. It’s fair to assume that HP will not be able to keep pace on product enhancements when compared to other vendors who are fully committed to the IdM market and who are deriving revenue from new product sales. Organizations with HP Identity Center deployments will need to evaluate all of their options going forward.

Customers of other IdM vendors and customers considering new IdM deployments should also be carefully scrutinizing this announcement. As the market becomes increasingly competitive it is imperative that customers evaluate the viability and long-term strategy of their existing and potential IdM vendors. Burton Group predicts that the market will see continued, or even increased, consolidation in coming months.

Another point worth mentioning is how HP’s announcement illustrates the fierce competition in the IdM market – even for a vendor the size of HP. There is extreme pressure from all sides in the IdM market; particularly for smaller vendors, but HP proves even the giants are not immune from difficulty. 

Finally, IdM vendors: now is a good time to evaluate your commitment to the market, being completely realistic about the level of investment required to compete successfully in the crowded Identity Management space.

Blogger: Gerry Gebel

If you use conferences as a guide, then identity management is hotter than ever. It seems a month doesn’t go by without at least one event that is identity related and March 2008 is no exception. In fact, I’m participating in two conferences this week in Europe – where the list of interesting identity-related events continues to grow. On Monday, I’ll be at the Net ID 2008 conference in Basel, Switzerland talking about SharePoint access and identity management. I’ll also be on a panel discussing interoperability – a favorite topic of mine, so this should be fun.

Later in the week, I’ll be presenting at the ic Consult conference at BMW World in Munich. My presentation is titled “IdM Markkt, Schwerpunkt SSO” (IdM Market, Focus on SSO) in the program, but rest assured I will be doing this in English and not torturing the audience with my meager German language skills!  The guys at ic Consult always put on a great program – I’ve had the great fortune to participate in their fall event that happens to coincide with Oktoberfest… In any language, it’s remarkable that, as an industry, we haven’t done more to ease the authentication burden for end users. Certainly, there are enough technologies to choose from: passwords, smart cards, PKI, federation, E-SSO, Kerberos, SPNEGO, GSS-API, and the list goes on. But the problem, if anything, is getting worse.

In addition to talking about SSO in Munich, we’ll be focusing quite a bit of attention to authentication at Catalyst this June. My colleague, Mark Diodati, is leading the charge on that topic and you’ll hear more from him about it between now and the conference.

Novell rounds out the March conference schedule with their BrainShare event in Salt Lake City. While not exclusively focused on identity, Novell includes a heavy dose of it on the agenda. And one of the better features is that this conference is local to the Burton Group headquarters. Hope to see you on the road, or on home territory this month.