Blogger: Mark Diodati
Over the years, we have watched IdM vendors acquire companies and their products to round out their suites. The list is long, and goes back before anyone was talking about “identity management”. CA acquired Platinum in 1999, which brought enterprise SSO and UNIX security solutions into the stable. You might argue that an OS security product is not part of IdM, but it provides authorization services and therefore fits the definition. In late 2004, it acquired Netegrity and its flagship product SiteMinder. Oracle has been on a tear recently, having acquired Oblix (WAM and federation), Octet String (virtual directory), Thor (user provisioning) Bharosa (consumer authentication), and Bridgestream (role management). IBM has done the same thing, with its acquisition of DASCOM (WAM) in 1999, Access360 (provisioning) and Metamerge (metadirectory) in 2002. Sun has made similar acquisitions (e.g., Waveset for provisioning). The list is by no means exhaustive.
The trend begs the question: “What’s next?” Ignoring the obvious GRC market, three product markets are ripe for acquisition in the near term: enterprise SSO, virtual directories, and privileged account management. My prediction does not place me in the same league as Nostradamus (or Criss Angel for that matter, who dabbles in this art), as Oracle has already acquired a virtual directory company (Octet String). As the consumer authentication and entitlement management markets mature over time, companies with these products will also be candidates for acquisition.
Few enterprise SSO companies exist in the marketplace. ActivCard (now ActivIdentity) acquired Protocom to enhance its existing capabilities. The company with the biggest bulls-eye on its back is Passlogix. Passlogix OEMs its v-Go eSSO product to Oracle, Sun, and IBM. The Citrix product has a residual amount of Passlogix code in it. Whoever picks up Passlogix has the opportunity to shake up the market and irritate its competitors. CA has its own eSSO product as a result of its acquisition of Platinum (which had acquired Memco).
Similarly, there are very few virtual directory vendors. BMC Software acquired Calendra, Oracle acquired Octet String, and SAP acquired MaXware. The remaining vendors are Radiant Logic and Symlabs, and they are good targets for IBM, CA, and Sun as they all have WAM systems and LDAP directories that integrate quite nicely with the virtual directories. Yes, Sun’s directory picked up some limited virtual directory capabilities this year, but the capabilities aren’t competitive with the other products. More than any other product, virtual directories make IdM projects (e.g., WAM, eSSO, federation) possible because they abstract away the many identity repositories for consuming applications. The virtual directory enables the vendor to sell more of the products in its suite.
As you may have guessed, there are very few privileged account management vendors. There are seven vendors in total, with three vendors entering the market this year. These products restrict access to the password associated with the account by enforcing its checkout and changing it frequently. Given the products' substantial growth since 2006 due to compliance pressures (the number of customers has at least doubled), the acquisition of Cloakware, Cyber-Ark, or e-DMZ Security by an IdM vendor is a reasonable outcome.
What do you think? Let us know.
Now that we’ve discussed potential acquisition candidates, two remaining questions come to mind. We’ll address these questions in a future blog entry.
- Does the continued acquisition of additional products enhance the IdM Suite?
- Was the IdM suite ever meaningful?
I feel that more and more acquisitions are increasing the broadness of the IDM suites. Now companies can target customers with multi feature suite under one product.
My next question is what will happen to the open source community products in this areana?
Visit my blog http://identitycontrol.blogspot.com
Posted by: Kapil Gupta | October 17, 2007 at 09:39 PM
you mention 7 players but only list 3. Who are the other 4 players?
Posted by: David Robin | October 17, 2007 at 09:51 PM
The seven privileged account management vendors are Cloakware, Cyber-Ark, eDMZ Security, Fischer International, PassGo Technologies, Symark, and M-Tech Information Technology.
Posted by: Mark Diodati | October 18, 2007 at 04:35 PM
Great question regarding open source. I am unaware of open source products for privileged account management (specifically, password change/administrative checkout -- there are open source offerings that help with authorization, like sudo). There are several open source virtual directories that I am aware of (MyVD and Penrose), but they are relatively new, and it’s too early to tell if they will gain traction. Most open source SSO implementations focus on web SSO, which is different from enterprise SSO. There’s one product - JA-SIG Central Authentication Service – that may have SSO capabilities, but it does not have a workstation SSO client and therefore is does not appear to be an enterprise SSO product. The product has very few commercial enterprise deployments (it has lots of higher education installations).
Posted by: Mark Diodati | October 18, 2007 at 04:54 PM
In regards to the SSO space, Imprivata also seems to be picking up some steam. They're certainly worth mentioning as they're still "affordable."
Posted by: Greg Sarrail | October 18, 2007 at 06:57 PM
Greg - Imprivata is definitely worth mentioning. They're doing some interesting things with physical access systems (I'd characterize it as "contextual authorization") and support a wide array of authentication options.
Posted by: Mark Diodati | October 18, 2007 at 10:27 PM
Couple of other areas to look into are Web Services Security with STS capability and the Fine Grained Acccess Control with XACML support. Even after Oracles acquisition of Oblix (now Oracle Web Services Manager) there has been very limited development in that product. PingIdentity could be a target.
Posted by: Sitaraman Lakshminarayanan | February 05, 2008 at 09:36 AM
Mark - Does Novell have capabilities around this solution within their IDM product suite??
Posted by: Joe D | September 29, 2008 at 11:28 AM