Burton Group Identity Blog: identity management

March 05, 2010

Catalyst Europe is Coming Up Fast!

Blogger: Bob Blakley

We hit the stage for Catalyst Europe on April 19. If you haven't already made your plans to join us in Prague, we've got a little treat for you at the end of this post.

We're going to focus this year on the emerging identity architecture. If you're looking, you can see this identity architecture around you already, in offerings from mainstream identity vendors like Microsoft and Oracle, but also in offerings from smaller firms like Gluu, Unbound ID, Radiant Logic, and others.

The elevator-pitch version of the story is this: licensed provisioning software packages compete in a market for identity management systems. User-centric identity providers compete in a market for identity providers. What enterprises need is neither a market for identity management systems nor a market for identity providers - what they need is a market for identities.

Federation technology, directory virtualization, and contextual access control can be combined to create a technical architecture on top of which this market for identities can emerge. The market for identities has many advantages, but getting there will take time and it will take work. We'll lay out the roadmap in Prague.

If (like me) you're a last-minute kinda person and you haven't registered yet, here's your reward for waiting: use the promo code "INSIDER" during registration, and you'll get your ticket for the discounted price of only 995 Euro.

Posted by Burton Group IdPS at 10:07 AM in Bob Blakley, burtongroupcatalyst10, emerging technologies, entitlement management, federation, identity management, identity services, new identity business models, provisioning, relationship, SaaS, user centric identity | Permalink | Comments (0) | TrackBack (0)

January 23, 2010

Oracle and Sun Clear a Big Hurdle

Blogger: Lori Rowland

Thursday the European Commission gave Oracle its unconditional approval to take over Sun Microsystems. Oracle still awaits approval from other jurisdictions including Russia and China, but given the EU’s ruling it is likely that these approvals will be expedited. It is fair to say that the EU’s approval was the last major hurdle for Oracle to overcome before the acquisition can move forward. The EU’s prolonged approval process had cast a cloud of doubt over the acquisition, leaving Sun’s IdM customers anxious over the fate of their IdM solution. Today’s announcement is particularly good news for those customers.

The IdM community has been closely watching the developments of this acquisition. Whereas many of Sun’s products have no direct equivalents in the Oracle portfolio, there is significant overlap between the companies’ IdM products. Since Oracle announced its plans to acquire Sun in April 2009, Burton Group has been inundated with inquires from both Oracle and Sun customers wondering how to move forward with purchases, deployments, upgrades, and product choices.

Oracle remains restricted in the amount of information it can share before the acquisition closes. The company has, however, put a plan in motion to communicate its roadmap and integration strategy over the coming months. On January 27, 2010, Oracle CEO Larry Ellison will host a webcast highlighting the combined Oracle and Sun strategy. Oracle and Sun customers can register for the webcast via this link:

http://www.oracle.com/go/?&Src=6806472&Act=22&pcode=WWMK09040443MPP007

Once the acquisition closes Oracle will be able to provide more specific information on its planned IdM roadmap. On January 27, we expect Oracle to lay out its combined IdM strategy and roadmap while discussing maintenance and support implications in line with Oracle’s track record in past acquisitions. Based on what we’ve seen with the BEA acquisition, Burton Group expects that representatives from Oracle will offer to meet with individual organizations to ensure that the transition is as smooth as possible. Burton Group encourages organizations that have a strong investment in Sun (or Oracle) IdM products to take advantage of such meetings to express their individual needs and concerns.

Although the European Commission’s approval does not mark the closure of the acquisition, it is significant progress. The pending acquisition has had a measurable impact on the IdM market. The most obvious being the uncertainty it has left for Sun customers. As the adage goes “it’s the not knowing that kills you.” As Burton Group has done in the past, we encourage Sun IdM customers to remain calm – do not rush to any drastic conclusions regarding the acquisition. One thing that Oracle has consistently communicated throughout its past acquisitions is its intention to provide customers with long-term support and maintenance. Burton Group urges customers to attend the January 27 webcast, continue to check the IdPS blog for updates, and schedule a dialogue with Burton Group analysts to discuss our perspective on a combined Oracle-Sun IdM strategy and the implications it may have in your environment. You may also visit the April, 2009 IdPS blog post where we laid out Burton Group’s perspective on the implications of the acquisition.

Posted by Burton Group IdPS at 02:53 PM in Acquisitions, identity management, Lori Rowland, M&A | Permalink | Comments (0) | TrackBack (0)

December 10, 2009

Identity and Leadership: Sorely Lacking the Latter

Blogger: Kevin Kampman

Last weekend, my wife and I conducted a whirlwind friends and family tour of western Washington State. Starting Friday morning in Seattle, we drove to Marrowstone Island, then to Glacier via Port Townsend, Deception Pass, and Bellingham. Saturday we drove to the top of Mt. Baker, then back to Tukwila. Sunday, we were off to Carnation (just east of Redmond) to visit a horse we helped the Cowgirl Spirit Rescue Drill Team save from slaughter. We met with Juliane and JJ, and turned out Bazkheno DaVinci (you thought only people had naming issues) onto a 20 acre lot with five other rescue horses. It is a sad situation that trained horses like Baz turn up at auction; sadder still that many of them turn up as someone’s dinner.

Sunday evening we had a fine Italian dinner with my wife’s family in Seattle; no pets were on the menu. I did have a conversation about the IT and business divide with one of my cousins, from a business perspective. More about that, later.

Bazkheno DaVinci (grey horse at center) and other rescues, Carnation WA

So, where am I going with this? Burton Group has been following identity, privacy, and electronic health records (EHR) for some time. In particular, the issues around liability and the potential for damages that could occur if patient records aren’t properly managed and protected. There are a variety of solutions coming to market to capture and maintain EHRs; some employers are mandating the use of these services. Microsoft and Google are making significant strides in this area, and Microsoft just made a significant acquisition of Sentillion that bolsters its health care portfolio. Even the government is in the act, providing substantial stimulus money for health records automation.

However, the record on these efforts is not encouraging. In a recent blog: Electronic Health Records: Are They Worth It or Not? by Robert Charette, the author cites research that indicates that while certain efficiencies may be realized by implementing EHR, larger concerns are surfacing about data mining of these records, primarily to benefit insurance and government entities. The blog goes on to state that EHRs may have little or no impact on the quality of or reducing the cost of health care. And, the risk remains that this information will be used for purposes other than originally intended. With the large government investment being made to implement these systems, the possibility exists that the investors, managers, and the government will ride roughshod over patient privacy unless powerful oversight over this information is established.

At dinner Sunday evening, we discussed an IT project that is being rolled out to meet an arbitrary schedule. This is in spite of misgivings on the part of business representatives about project preparedness and the potential impact of failure. The point was made that while the project had known issues, there was no one influential or powerful enough to stand up and question the current state of the effort. No one wants to take the fall. The horse is ready to run, so to speak, if only on three legs.

As part of our current research on governance, we are learning that strategic, shared perspectives about business value and risk throughout projects, programs, enterprises, and communities is frequently lacking. For a business, this is regrettable. When there are life-affecting issues at stake, this is clearly unacceptable. In these situations, governance may not be enough. Leadership skills, advocacy, and authority for those least able to protect themselves are critical. Whether it’s a new financial or patient records system, nothing less is acceptable. Once the horse (or EHR, or any other personally identifiable information) is out the gate, there is little likelihood of bringing it back.

Posted by Burton Group IdPS at 04:01 PM in identity, identity management, identity theft and fraud | Permalink | Comments (1) | TrackBack (0)

September 09, 2009

US Government Identity News

Blogger: Bob Blakley

9/9/9 was a day of announcements. You’ve already undoubtedly heard about the 64GB iPod touch, and if you’ve also heard about the new Leica M9 you know what to get me for Christmas this year.

But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.

This is a really big deal, for two reasons.

First, as a condition of playing with the government in this game, OIDF and ICF have had to address the longest-standing and most serious defect in the open identity ecosystem: the lack of a trust infrastructure. “What’s a trust infrastructure”, I hear you cry...

When you receive an X.509 certificate from a PKI provider, you can go to the provider’s site and read its Certification Practice Statement. This statement provides three critical pieces of information:

What the provider does to ensure that the person who sent you the certificate is who he says he is.
What the provider does to ensure that its own systems aren’t compromised in a way that would allow people to create fraudulent certificates or steal private keys.
What obligations the provider undertakes and what remedies it will provide to its customers (i.e. YOU) if it breaches those obligations.

There’s never been any equivalent of a Certification Practice Statement for open identity providers. Today’s announcement changes that. The Open Identity Initiative has created a Trust Framework Provider Adoption Process which will allow organizations to set themselves up as roots of trust for open identity. Organizations which serve as trust roots will assess the practices and guarantees of identity providers, and they will establish registries of providers and “score” them against a set of identity assurance criteria aligned with the Liberty Alliance Identity Assurance Framework and the OMB M-04-04 and NIST SP 800-63 guidelines.

So, if a few serious organizations sign up to become Trust Framework Providers, we’ll finally have a trust infrastructure for open identity.

The second reason today’s announcement is a really big deal is that, after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities – especially if they’re identities people don’t want.

If this initiative succeeds, and I hope it does, it’s almost certain to be a much cheaper route to government consumption of reliable digital identities of citizens than something like REAL-ID would be. And it will preserve consumer choice at the same time as encouraging innovation in commercial identity technology.

So three cheers for Vivek Kundra and the boards of the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon. And while we’re at it, let’s not forget to congratulate OSIS and the Internet Identity Workshop, where many of the technologies behind today’s announcement were developed and more of the ideas were born, and the Liberty Alliance, whose work on the Identity Assurance Framework is the keystone of the trust infrastructure we are finally about to see.

Posted by Burton Group IdPS at 04:48 PM in authentication, identity management, identity services, openID, REAL ID, user centric identity | Permalink | Comments (1) | TrackBack (0)

April 30, 2009

Oracle Acquires Sun: The IdM Perspective

Blogger: Mark Diodati

At a macro level, the acquisition puts Oracle in the hardware business. Many organizations running the Oracle Database run it on the Solaris operating system and Sun hardware. This is a "peanut butter and jelly" combination, and it continues to be popular since its introduction over 15 years ago. Sun’s MySQL product will bolster the Oracle Database business, as the product serves a different audience at a different price point than Oracle 11g. The Sun acquisition also puts Oracle in the operating system business for real (though Oracle has offered a flavor of Linux for several years).

From an IdM perspective, there is significant overlap in the provisioning, web access management, and federation product classes. It will take some time before Oracle even announces their plans plus more time to enact the migration plan. Both companies OEM their enterprise SSO offerings from other vendors, so completing the enterprise SSO roadmap should be relatively trivial. Oracle has a strong fine-grained authorization product, the result of its acquisition of BEA in early 2008.

My colleague Ian Glazer notes that both Oracle and Sun have role management products and their functionality is not wholly redundant. Oracle may have the opportunity to build a better, more complete offering.

Sun brings its very popular LDAP-based Java System Directory Server to the table. Oracle also has an LDAP directory server (Oracle Identity Directory), which is frequently deployed to manage users and roles in Oracle Database and application deployments. There is overlap between these two products, and Oracle will need to choose between two very widely deployed directories. Oracle also has a virtual directory product as a result of its 2005 acquisition of OctetString; Sun has no virtual directory capabilities to speak of. Virtual directories are becoming more valuable as organizations tackle identity management projects. From a sales perspective, Oracle's possession of both directory server and virtual directory technologies provides a significant advantage over its IdM competitors.

My colleague Bob Blakley points out that if Oracle wants to keep any of the Sun IdM assets (which is by no means a sure thing), it will have to modify the products to conform to the Fusion Middleware architecture; customers should expect Oracle to make decisions regarding IdM portfolio overlap more on the basis of business considerations than on the technical merits of the products. In any event, Oracle is very likely to place a higher priority on Sun products outside of the IdM suite.

In light of all this, customers currently selecting an IdM vendor who are seriously considering Sun should not panic, but they should speak both to Sun and to Oracle about the potential costs of an IdM migration two to three years out in the event of a completed acquisition. Oracle will not be able to make any forward-looking statements until the acquisition is complete, but the customer discussion with Oracle puts the company on notice that the future of the Sun IdM suite is of interest to the customers it brings on board. Sun customers should seek and Sun may be able to provide contract terms which reduce both future migration costs and risks for customers who are purchasing Sun IdM products during a period of uncertainty. Going forward, all customers must hold Oracle accountable to its service level agreements as there is great opportunity for customer dissatisfaction during this transition period.

In summary, Oracle’s acquires highly complementary hardware and operating system products. From an IdM perspective, the acquisition will bring some roadmap turmoil for the provisioning, web access management, and federation product classes. Oracle’s directory services portfolio (both directory server and virtual directory server) looks very strong, with no competitor coming close to the same capabilities and market share. Add the XACML-based, finer grained authorization capabilities provided by the BEA acquisition, and Oracle has significant coverage in IdM products. Strong synergies exist between IdM and ERP products, and Oracle has both.

For Oracle to be successful, it must improve its product integration and enhancement efforts, which have not been optimal with its prior IdM acquisitions. With this acquisition, Oracle is not just adding one more IdM product to the mix, but an entire suite. My colleague Gerry Gebel has commented that Oracle – and customers - will be in better shape in 2-3 years, after the acquisition dust settles. In the interim, there is great opportunity for aggressive competitors to take advantage of the situation and Oracle must be prepared to defend its turf.

Posted by Burton Group IdPS at 12:16 AM in Acquisitions, identity management | Permalink | Comments (6) | TrackBack (0)

March 20, 2009

IBM and Sun merger talks shake up the IdM industry

[from the IdPS team]

The Wall Street Journal’s article claiming that IBM was in negotiations to acquire Sun Microsystems stirred up conversations across a spectrum of technology segments from data centers to servers to app servers and on and on. Our colleagues have commented on other aspects of this deal here and here. Before we all get totally ahead of ourselves, the deal (if there is one in the works) is not yet finalized so any commentary is quite speculative at this point. However, many in the industry, Sun and IBM customers especially, are pondering the outcome. With that in mind, here are some early thoughts on possible identity management outcomes.

Role management: Might as well take the easy one first. IBM utilizes partners for role management today, so Sun’s product fills a large hole. Since Sun Role Manager came about through the acquisition of the general-purpose role management vendor VAAU, integration with the IBM identity management product line will be complementary, if not synergistic. Acquisition of the product, development, and delivery resources is clearly an advantage for IBM.

User provisioning: Both vendors have mature products with large market shares, but the two products have significantly different data architectures. Would IBM contemplate keeping both products in their portfolio? Combining the two products would take many years and put both products’ customers through a lot of grief.

Web Access Management/Federation: Sun has OpenSSO (previously Sun Access Manager). IBM has Tivoli Access Manager for e-business (TAMeb). The former is simpler to deploy, is endpoint-based, and has a smaller market share as compared to IBM’s offering. TAMeb is more complex to deploy but has a significantly larger market share. Both products have federation capabilities. Sun is building entitlement management into OpenSSO, but IBM released Tivoli Security Policy Manager last year.
Despite tremendous strides in OpenSSO functionality in recent years, look to IBM to jettison most of OpenSSO in the long-term, and go with its own WAM, federation, and entitlement management products. Sun possesses some innovative federation technology– the Fedlet and virtual federation. The Fedlet is a lightweight implementation of SAML 2.0, which can be embedded in a Java EE Web application. Virtual federation makes it easier to enable federation for multiple legacy applications with a single instance of OpenSSO. Look for IBM to absorb the Fedlet and virtual federation into its developerWorks program.

Enterprise SSO: Sun has a relationship with ActivIdentity and resells the company’s SecureLogin product. IBM recently acquired Encentuate last year, and now possesses an eSSO product in its stable. Look for IBM to jettison the relationship with ActivIdentity – its competitor in the eSSO market. Novell recently acquired a perpetual code license from ActivIdentity for SecureLogin. The license gives Novell access to the SecureLogin source code, which enables Novell to make enhancements and take the product in a different direction. If the IBM-Sun deal goes through, it means that two of ActivIdentity’s major partners will be gone, potentially putting SecureLogin on life support. Don’t cry too much for ActivIdentity; it has the market-leading smart card management system; both Sun and IBM must integrate with it.

Directory Server: Sun has the market-leading directory server, if you exclude Active Directory, which is primarily deployed for its network operating system. IBM has Tivoli Directory Server. Look for IBM to continue to support both products. Today, IBM provides integration with Sun Java System Directory Server because it must ensure compatibility with its IdM products (e.g., TAMeb). IBM can’t drop Tivoli Directory Server because that product has its tentacles in too many IBM products.

Virtual and Meta Directory Server: Neither company has a competitive, full-featured virtual directory server and must partner for this capability. Look for IBM to continue to partner with Radiant Logic, and to a lesser extent Symlabs as development continues on Sun’s virtual directory project. IBM has a meta-directory, from its acquisition of Metamerge, so this technology area is pretty complementary.

Sun’s open source strategy: What does IBM do with all of Sun’s open source projects? Do they all get folded into Eclipse Foundation somehow?

Bottom line: Except for role management, virtual directory, and meta-directory, there are many overlaps in the two vendors’ IdM portfolios that will have to be resolved over time. It is much too early to determine which direction IBM would take, but there is a large Sun customer base to placate – not to mention many more prospective customers in the pipeline.

Posted by Burton Group IdPS at 09:27 AM in identity management | Permalink | Comments (0) | TrackBack (0)

March 18, 2009

Is a bad economy good for identity?

Blogger: Lori Rowland

The financial meltdown of 2008-2009 has had a significant impact on the identity management market, but it might not be in the way you expect. Organizations have undergone significant business transformation including mergers and acquisitions, business closures, restructuring, outsourcing, layoffs, furloughs, and terminations. These changes have highlighted the need for effective identity management processes.

One of the most obvious value propositions of identity management given today’s economic conditions is the de-provisioning of users’ and their access rights. The need for timely de-provisioning of access rights was recently exemplified by a situation at Fannie Mae. Several news outlets have reported on an incident in which a contract employee was allowed to stay on premise for several hours after he was terminated. Worse yet, his network access was not revoked until even later that evening. This gave him just enough time to place a malicious piece of code on Fannie Mae servers. Luckily an observant engineer discovered the code before it was executed, otherwise the code would have brought down thousands of servers, most certainly impacting Fannie Mae’s bottom line.

De-provisioning is not the only identity management benefit that comes to bear in a bad economy. For example, organizations want to ensure that the employees they have acquired (either through a new hire process or acquisition) are up and running on day one. Others want to physically secure their environment and protect information and other assets– this is particularly true in environments where layoffs have occurred or in which the competition is fierce. Last, but not least, is the ever present need to meet compliance obligations – chances are the demand for stricter controls is only going to be increased due to the economic crisis.

Burton Group is in the process of updating our 2009 Identity Management Market Overview report. As part of the research for this report we are reaching out to our customers in order to find out what impact the bad economy has had on their identity management (IdM) initiatives and project funding. It is too early to give a final verdict, but early indications suggest that identity management initiatives are still going strong. As one organization put it “businesses are not willing to sacrifice controls, compliance, or security in order to cut costs.” This is not to say that some projects are not being cut, we have seen some of that, but we are also seeing organizations move their identity management projects to the forefront and recommit to their success.

Another indication that the identity management market is thriving is the fact that vendors like Courion, Imprivata, Sentillion, and Sun have recently reported year over year growth and, in some cases, record growth for their identity management products. This is just a sampling of vendors, we are certain that there are others who are also experiencing similar growth in their identity management product lines.

Although we are seeing interest in identity management growing, organizations are demanding alternatives to the traditional identity management suite or delivery model. Organizations are looking at identity services for SOA based environments, outsourcing, hosted solutions, open source, subscription based licensing, and cloud based solutions all in an effort to reduce costs and simplify deployments. Burton Group will be discussing this and other identity management trends in our forthcoming Identity Management Market Overview report and the Emerging Identity Services Market report. We also will be deep diving into these topics at our Catalyst conference in July.

All in all –the bad economy seems to have been good for identity management. It has not only brought the need for efficient identity management processes to the attention of organizations and subsequently boosted sales in identity management products, but has forced vendors to offer alternatives to the often bloated, identity management product delivery model.

Posted by Burton Group IdPS at 12:43 PM in burtongroupcatalyst09, identity management, Lori Rowland, provisioning | Permalink | Comments (1) | TrackBack (0)

March 03, 2009

Green bar paper, death decks, and process improvement

Blogger: Kevin Kampman

In my speaking engagements, I've learned that I sometimes refer to experiences that make no sense to younger folks in the audience. For example, I once spoke about a military data breach where physical, paper records about veterans were removed from an archive facility. I teasingly referred to the "green bar" records as the media that was stolen. I learned later from a participant in the audience that about half of the people there had never seen a report printed on paper with those printed green bars (a feature designed to improve readability). A dinosaur, it seems.

I've learned to keep this in mind when I address an audience, and in fact, use it as a way to gauge their experience. A term I used last week to refer to a security threat was "death deck", a term that hearkens back to the days when computers read programming instructions from something known as a "tab card". It seems that a programmer about to lose his job left a script in place that would destroy data on the computers at a lending institution, delete the OS, and shut the serves down. Fortunately his script was discovered beforehand, and he is now being prosecuted. In olden days, this sort of script was referred to as a death deck. The only difference between then and now is the media employed. Only two people out of 50 had heard the term, or would admit to it.

Subsequent to my speech, I met with a company who had been trying for a number of years to get an identity management initiative off the ground. There were many people in the room; all there looking for magic insights about how to achieve efficiency, demonstrate return on investment, and achieve compliance. A basic issue they cited is that it takes three weeks for new hires to get assigned to resources; in the meantime the new hires sweep floors. While this may seem like a provisioning problem, we've also come to understand that there may be something more fundamental at work here: Poor business processes.

When I started in the IT industry, one of my first jobs was designing business forms. You might not know what that is, but essentially forms were (and are) a way to design and implement a business process. A good forms design demonstrated the process essentials, demonstrated workflows, and captured the associated attributes and decision artifacts. Designing a form required a good understanding of its application. During the analysis effort, more efficient alternatives often became apparent. As with any automation effort, a good form could not make up for a bad process. It could, however, help to point one out.

In the organization with apparent IdM challenges, the audience was mostly IT folks. No one from the business or human resources community was present for our meeting. Given their difficulty in justifying their initiative, or even finding the right problem to solve, I think it is important to point out that IdM doesn't operate in a vacuum. It is integrally related to business processes and procedures, and this alignment can't be discounted. The point of this is that IdM efforts must always demonstrate business alignment. On the other hand, if the organization has process challenges, they shouldn't look to IdM to solve them. Proper process design and flow are essential to the success of any initiative, regardless of the technology we employ to implement it.

Posted by Burton Group IdPS at 05:36 PM in identity management, Kevin Kampman | Permalink | Comments (0) | TrackBack (0)

September 04, 2008

Thinking about Matt’s Simple Question: Correlating accounts and people

Blogger: Ian Glazer

Matt Hamlin, over at Sun, mentioned a conversation we had last week about a topic in identity management which doesn't usually get a lot of airtime: the correlation of accounts to people. The exercise is the first step in answering Matt's simple question of "Who has access to what?" Matt writes:

This step is the foundation for Access Certification, Role Mining, Entitlements Management, Policy Evaluation, Identity Auditing, and numerous other custom services developed by our customers.

There were two major omissions in his list: password management and user provisioning. The reality is the correlating of accounts to people is a requirement for all identity management exercises. This correlation isn't glamorous work and isn't a one time affair. None the less, it is crucial "Identity Gold" for identity management projects, but also as the foundation for risk mitigation exercises as well.

Here's a tip to enterprises out there - ask your software vendors and deployment teams what capabilities they have to help facilitate this correlation. Ask early and before you start down the path of an identity project. Make it an on-going process governed by your overall identity management program.

I'll be touching on this a bit in an upcoming Telebriefing I am doing. On October 1st and 2nd, I'll be giving a sneak peak of my research on access certification and will cover this and other topics. If you are a Burton Group subscriber, you should check it out. If you aren't a BG customer, you should become one. ;-)

Posted by Burton Group IdPS at 05:02 PM in audit, identity management, role management | Permalink | Comments (1) | TrackBack (0)

March 13, 2008

Why Enterprise Single Sign-On (E-SSO) is More Than Just a Tactical Add-on

Blogger: Phil Schacter

Today’s announcement of IBM’s acquisition of Encentuate, primarily positioned as a supplier of enterprise SSO technology, is a significant milestone in the maturing of the market for E-SSO. Two years ago E-SSO was viewed as a standalone product that was somewhat complementary to the deployment of stronger authentication and a convenient way to support legacy applications with internal logic that prompted for login credentials, typically a user id and a simple password.

Most identity and access management vendors were content to license or resell technology obtained from smaller specialist firms. IBM, Oracle and Sun partnered with Passlogix, while Novell works with ActivIdentity and Quest with Evidian. CA has its own E-SSO offering stemming from an earlier acquisition of Platinum/Memco.

However, the identity and access management vendors discovered that E-SSO was both a market accelerator and offered some important features of interest to customers with regulatory compliance requirements. E-SSO has a shorter sales cycle (typically six months or less) and is able to deploy more rapidly (one to three months depending on the complexity of the environment). Cost for E-SSO varies but many deals are less than $100K, which is easier on the IT budget than most user provisioning software and service projects. Customers could start with E-SSO and then over time add user provisioning, web SSO, federated SSO, and other components of the identity management suites. E-SSO technology also can provide an audit trail of user sessions and any interactions with applications accessed through the E-SSO system.

So who wins in the IBM deal to acquire Encentuate? First, it’s a big win for Encentuate’s 80 plus customers that can look forward to continued support and a more aggressive product roadmap funded by a premier vendor. Although no financial numbers were shared the deal provides an exit strategy for investors that poured about $24M into Encentuate over the years. The 160 plus customers of IBM’s TAM ESSO v6 will have support from IBM for three years from v6’s general availability date of February 2007. They also will have to choose between continuing to use ESSO v6, and transitioning to become a direct Passlogix customer, or migrating to IBM’s new v7 offering, based on the technology acquired from Encentuate. TAM ESSO v7 is expected to be available in Q3 2008 and will include planned enhancements to Encentuate’s product plus address IBM’s integration requirements.

IBM also plans to build on the engineering talent obtained as a part of this acquisition to build out a Security Software Lab in Singapore for more than just the E-SSO and former Encentuate product lines. This area offers high quality engineering talent and a more efficient operational infrastructure and cost than labs based in some other regions. Another key reason for IBM’s shift to a new technology provider is that Encentuate builds on a J2EE foundation, as do most other Tivoli product offerings.

Another interesting question is what is the impact of the IBM deal on their former partner, Passlogix? Clearly IBM will try hard to convince existing customers that they should migrate to TAM ESSO v7, but any migration is hard and it’s not clear who will fund the professional service cost of doing so. Passlogix expects to derive significant ongoing maintenance revenue from a portion of IBM’s 160 customers, and that this revenue stream will more than offset any lost OEM royalties. There is also the question of what happens to the healthy pipeline for ESSO v6 and whether Passlogix can convert any of these prospects into direct customers. Overall Passlogix is prospering in a strong market for E-SSO and related offerings, and indicates that no one source contributes more than a sixth of overall business revenue.

One final observation about the impact of this deal is that it’s likely to start one final wave of consolidation, with Oracle and Sun considering the business risk of the other acquiring Passlogix first. Another acquisition that should probably happen is for Novell to buy ActivIdentity. Novell already provides the channel for 80% of ActivIdentity’s business, so why not bring this important function inhouse?

Posted by Burton Group IdPS at 05:09 PM in Acquisitions, authentication, identity management | Permalink | Comments (2) | TrackBack (0)

Burton Group Identity Blog