Burton Group Identity Blog

Blogger: Phil Schacter

Today’s announcement of IBM’s acquisition of Encentuate, primarily positioned as a supplier of enterprise SSO technology, is a significant milestone in the maturing of the market for E-SSO. Two years ago E-SSO was viewed as a standalone product that was somewhat complementary to the deployment of stronger authentication and a convenient way to support legacy applications with internal logic that prompted for login credentials, typically a user id and a simple password.

Most identity and access management vendors were content to license or resell technology obtained from smaller specialist firms. IBM, Oracle and Sun partnered with Passlogix, while Novell works with ActivIdentity and Quest with Evidian. CA has its own E-SSO offering stemming from an earlier acquisition of Platinum/Memco.

However, the identity and access management vendors discovered that E-SSO was both a market accelerator and offered some important features of interest to customers with regulatory compliance requirements. E-SSO has a shorter sales cycle (typically six months or less) and is able to deploy more rapidly (one to three months depending on the complexity of the environment). Cost for E-SSO varies but many deals are less than $100K, which is easier on the IT budget than most user provisioning software and service projects. Customers could start with E-SSO and then over time add user provisioning, web SSO, federated SSO, and other components of the identity management suites. E-SSO technology also can provide an audit trail of user sessions and any interactions with applications accessed through the E-SSO system.

So who wins in the IBM deal to acquire Encentuate? First, it’s a big win for Encentuate’s 80 plus customers that can look forward to continued support and a more aggressive product roadmap funded by a premier vendor. Although no financial numbers were shared the deal provides an exit strategy for investors that poured about $24M into Encentuate over the years. The 160 plus customers of IBM’s TAM ESSO v6 will have support from IBM for three years from v6’s general availability date of February 2007. They also will have to choose between continuing to use ESSO v6, and transitioning to become a direct Passlogix customer, or migrating to IBM’s new v7 offering, based on the technology acquired from Encentuate. TAM ESSO v7 is expected to be available in Q3 2008 and will include planned enhancements to Encentuate’s product plus address IBM’s integration requirements.

IBM also plans to build on the engineering talent obtained as a part of this acquisition to build out a Security Software Lab in Singapore for more than just the E-SSO and former Encentuate product lines. This area offers high quality engineering talent and a more efficient operational infrastructure and cost than labs based in some other regions. Another key reason for IBM’s shift to a new technology provider is that Encentuate builds on a J2EE foundation, as do most other Tivoli product offerings.

Another interesting question is what is the impact of the IBM deal on their former partner, Passlogix? Clearly IBM will try hard to convince existing customers that they should migrate to TAM ESSO v7, but any migration is hard and it’s not clear who will fund the professional service cost of doing so. Passlogix expects to derive significant ongoing maintenance revenue from a portion of IBM’s 160 customers, and that this revenue stream will more than offset any lost OEM royalties. There is also the question of what happens to the healthy pipeline for ESSO v6 and whether Passlogix can convert any of these prospects into direct customers. Overall Passlogix is prospering in a strong market for E-SSO and related offerings, and indicates that no one source contributes more than a sixth of overall business revenue.

One final observation about the impact of this deal is that it’s likely to start one final wave of consolidation, with Oracle and Sun considering the business risk of the other acquiring Passlogix first. Another acquisition that should probably happen is for Novell to buy ActivIdentity. Novell already provides the channel for 80% of ActivIdentity’s business, so why not bring this important function inhouse?   

Bloggers: Bob Blakley, Lori Rowland, Gerry Gebel

Burton Group frequently discusses the fiercely competitive nature of the identity management (IdM) market. This continues to be a consolidating market characterized by numerous mergers, acquisitions and vendor exits.

Burton Group has specifically commented on HP’s struggle to succeed in this competitive market. Burton Group’s Identity and Privacy Strategies Report, “The Identity Management Market 2007: An Expanding Universe”, Our Catalyst 2007 Keynote “Identity Management Market Landscape 2007: Enabling Security and Control Objectives in the Enterprise”, and our “Vantage Point 2007: Trends in Identity Management” telebriefing, all noted that HP’s ability to compete, mindshare, and market momentum has been in sharp decline.

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product.  We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change. Last week Burton Group spoke to HP Software Vice President of Products Eric Vishria regarding this development. 

Vishria explained that the Identity Center product line was not performing in this highly competitive market at a level that’s acceptable to HP, but added that the product supports the operations of a number of HP’s critical customers.  HP has therefore made the decision to focus research and development efforts on existing customers only.

The company does have a respectable number of existing customers. HP is in the process of reaching out to these customers to assist them with their identity management needs going forward. HP also feels that Identity Center represents an excellent set of technologies. For these reasons, HP has decided not to declare end-of-life for the product.  This means that HP will continue to provide technical support to existing customers and will maintain a development staff to make product enhancements based on needs of existing customers.  Vishria did not specify how long this technical support and product enhancement will continue. However, he did acknowledge that HP had considered options including end-of-life for Identity Center, and had consciously decided against declaring end-of-life so as to extend support and development beyond the two years typically allotted for an end-of-life product.

HP’s decision is clearly a blow to the company’s current IdM customers and to anyone who was considering purchasing their products. HP’s commitment to current customers is commendable; this commitment obviously cannot be open-ended, so now is the time for current HP customers to start planning.

In view of HP’s decision, Burton Group has recommendations for existing HP customers, non-HP customers, and other vendors competing in this market.

First and foremost, current HP customers should not panic. HP has no intention of abandoning its existing Identity Management customers.  Your first step should be to contact HP for clarification of the situation; HP is in the process of reaching out to all of its Identity Center customers, and you are undoubtedly already on their radar.  Existing customers will, however, need to decide going forward whether they will stick with their investments or consider moving to another product. Even if the decision is to move to another product, HP’s strategy and commitment allows customers to exit in an orderly and timely fashion.

After not panicking, existing customers must think strategically. It’s fair to assume that HP will not be able to keep pace on product enhancements when compared to other vendors who are fully committed to the IdM market and who are deriving revenue from new product sales. Organizations with HP Identity Center deployments will need to evaluate all of their options going forward.

Customers of other IdM vendors and customers considering new IdM deployments should also be carefully scrutinizing this announcement. As the market becomes increasingly competitive it is imperative that customers evaluate the viability and long-term strategy of their existing and potential IdM vendors. Burton Group predicts that the market will see continued, or even increased, consolidation in coming months.

Another point worth mentioning is how HP’s announcement illustrates the fierce competition in the IdM market – even for a vendor the size of HP. There is extreme pressure from all sides in the IdM market; particularly for smaller vendors, but HP proves even the giants are not immune from difficulty. 

Finally, IdM vendors: now is a good time to evaluate your commitment to the market, being completely realistic about the level of investment required to compete successfully in the crowded Identity Management space.

Blogger: Gerry Gebel

If you use conferences as a guide, then identity management is hotter than ever. It seems a month doesn’t go by without at least one event that is identity related and March 2008 is no exception. In fact, I’m participating in two conferences this week in Europe – where the list of interesting identity-related events continues to grow. On Monday, I’ll be at the Net ID 2008 conference in Basel, Switzerland talking about SharePoint access and identity management. I’ll also be on a panel discussing interoperability – a favorite topic of mine, so this should be fun.

Later in the week, I’ll be presenting at the ic Consult conference at BMW World in Munich. My presentation is titled “IdM Markkt, Schwerpunkt SSO” (IdM Market, Focus on SSO) in the program, but rest assured I will be doing this in English and not torturing the audience with my meager German language skills!  The guys at ic Consult always put on a great program – I’ve had the great fortune to participate in their fall event that happens to coincide with Oktoberfest… In any language, it’s remarkable that, as an industry, we haven’t done more to ease the authentication burden for end users. Certainly, there are enough technologies to choose from: passwords, smart cards, PKI, federation, E-SSO, Kerberos, SPNEGO, GSS-API, and the list goes on. But the problem, if anything, is getting worse.

In addition to talking about SSO in Munich, we’ll be focusing quite a bit of attention to authentication at Catalyst this June. My colleague, Mark Diodati, is leading the charge on that topic and you’ll hear more from him about it between now and the conference.

Novell rounds out the March conference schedule with their BrainShare event in Salt Lake City. While not exclusively focused on identity, Novell includes a heavy dose of it on the agenda. And one of the better features is that this conference is local to the Burton Group headquarters. Hope to see you on the road, or on home territory this month. 

Blogger: Mark Diodati

Over the years, we have watched IdM vendors acquire companies and their products to round out their suites.  The list is long, and goes back before anyone was talking about “identity management”.  CA acquired Platinum in 1999, which brought enterprise SSO and UNIX security solutions into the stable.  You might argue that an OS security product is not part of IdM, but it provides authorization services and therefore fits the definition.  In late 2004, it acquired Netegrity and its flagship product SiteMinder.  Oracle has been on a tear recently, having acquired Oblix (WAM and federation), Octet String (virtual directory), Thor (user provisioning) Bharosa (consumer authentication), and Bridgestream (role management).  IBM has done the same thing, with its acquisition of DASCOM (WAM) in 1999, Access360 (provisioning) and Metamerge (metadirectory) in 2002.  Sun has made similar acquisitions (e.g., Waveset for provisioning).  The list is by no means exhaustive.

The trend begs the question: “What’s next?”  Ignoring the obvious GRC market, three product markets are ripe for acquisition in the near term: enterprise SSO, virtual directories, and privileged account management.  My prediction does not place me in the same league as Nostradamus (or Criss Angel for that matter, who dabbles in this art), as Oracle has already acquired a virtual directory company (Octet String).  As the consumer authentication and entitlement management markets mature over time, companies with these products will also be candidates for acquisition.

Few enterprise SSO companies exist in the marketplace.  ActivCard (now ActivIdentity) acquired Protocom to enhance its existing capabilities.  The company with the biggest bulls-eye on its back is Passlogix.  Passlogix OEMs its v-Go eSSO product to Oracle, Sun, and IBM.  The Citrix product has a residual amount of Passlogix code in it.  Whoever picks up Passlogix has the opportunity to shake up the market and irritate its competitors.  CA has its own eSSO product as a result of its acquisition of Platinum (which had acquired Memco). 

Similarly, there are very few virtual directory vendors.  BMC Software acquired Calendra, Oracle acquired Octet String, and SAP acquired MaXware.  The remaining vendors are Radiant Logic and Symlabs, and they are good targets for IBM, CA, and Sun as they all have WAM systems and LDAP directories that integrate quite nicely with the virtual directories.  Yes, Sun’s directory picked up some limited virtual directory capabilities this year, but the capabilities aren’t competitive with the other products.  More than any other product, virtual directories make IdM projects (e.g., WAM, eSSO, federation) possible because they abstract away the many identity repositories for consuming applications.  The virtual directory enables the vendor to sell more of the products in its suite.

As you may have guessed, there are very few privileged account management vendors.  There are seven vendors in total, with three vendors entering the market this year.  These products restrict access to the password associated with the account by enforcing its checkout and changing it frequently.  Given the products' substantial growth since 2006 due to compliance pressures (the number of customers has at least doubled), the acquisition of Cloakware, Cyber-Ark, or e-DMZ Security by an IdM vendor is a reasonable outcome.

What do you think?  Let us know.

Now that we’ve discussed potential acquisition candidates, two remaining questions come to mind.  We’ll address these questions in a future blog entry.

• Does the continued acquisition of additional products enhance the IdM Suite?

• Was the IdM suite ever meaningful?

Blogger: Kevin Kampman

Last year, there was an initiative launched by the American National Standards Institute (ANSI) and the Better Business Bureau (BBB) to examine ways to prevent identity theft. Last month, I attended a plenary session of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) to learn how this effort was progressing. I was also interested to learn how the needs of consumers are being addressed.

The goal of the IDSP is to develop an inventory of existing standards related to identity. This work has been divided into three areas: Issuance, Exchange, and Maintenance and Management. The attendees came from a variety of communities, including government and standards bodies, financial and credit services, professional services, the software industry, and others.

The inventory of standards and regulations related to identity is impressive. Without diving into details, there are many we know on a regular basis, such as HIPAA and GLB. Many others are more obscure and limited to a particular domain. One would think that with the extensive list of controls, identity would be well understood and articulated.

However, the devil is in the details. For example, some of the regulations, like REAL ID, are mired in political challenges between the state and federal governments. Others, like HSPD-12, are limited to the federal government.

Many identity issues live on the fringes, for example, where no birth certificate was issued, or when someone migrates to the US from another country. Particular vulnerability areas were also identified, such as the exploitation of children by parents or guardians, theft of military or elderly identities, assumption of identities from the deceased, and so on.

Other identity issues stare us directly in the face. I recently spoke with a business intelligence analyst on a cross-country flight. He was quite concerned about how information about our affinity, debit, and credit purchases are aggregated and sold to other parties for unrelated purposes, such as insurance eligibility. The implication is that if you buy a carton of cigarettes or a bottle of liquor, this information will be used without your knowledge to provide or deny coverage, or to identify the rate you’ll pay.

This exchange of so-called personal information may not be covered by privacy regulations and represents an ethical challenge that most people don’t consider, much less care about (until it is used to their disadvantage). Standards that force people to opt-in, rather than to opt-out of this information sharing are sorely lacking, as are the ethical guidelines about what information should be shared for what purpose.

The work being accomplished by the IDSP will go a long way towards exposing what is, and isn’t in place to regulate the use of identity information. The latter will most likely be exposed by unfortunate experiences, tested in the courts, and addressed by the state and federal governments. It would be a significant benefit to everyone if the efforts of the IDSP expose these gaps and inconsistencies and make mitigation recommendations to commercial and government interests.

Blogger: Bob Blakley

DHS’ Data Privacy and Integrity Advisory Committee has issued its report on the implementation of the REAL ID Act; the report, which is excellent, can be found here.

The report’s introduction lays it out pretty explicitly:

“The REAL ID Act is one of the largest identity management undertakings in history. It would bring more than 200 million people from a large, diverse, and mobile country within a uniformly defined identity system, jointly operated by state governments. This has never been done before in the USA, and it raises numerous policy, privacy, and data security issues that have had only brief scrutiny, particularly given the scope and scale of the undertaking.

It is critical that specific issues be carefully considered before developing and deploying a uniform identity management system in the 21st century. These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information, redress and fairness, mission creep, and, perhaps most importantly, provisions for national security protections.

The Department of Homeland Security's Notice of Proposed Rulemaking touched on some of these issues, though it did not explore them in the depth necessary for a system of such magnitude and such consequence. Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate.”

I’d make explicit the conclusion which the Data Privacy and Integrity Committee left readers to infer from their report:

The REAL ID act is a bad idea.  The problems with the REAL ID act listed in the Committee’s report should not be fixed, because fixing them will not address the core issues the REAL ID act raises.  Fixing the problems the Committee has identified will simply produce the best possible version of a very bad system.  If the REAL ID act is implemented, there is no chance it will meet its stated goals; there is every reason to believe it will have many unforeseen adverse consquences; and there is every reason to believe its costs will be huge in proportion to its benefits.

There are many reasons the REAL ID act is a bad idea, even if the Committee’s issues are addressed; here are a few:

1. The REAL ID act will spend an enormous amount of YOUR money on a technology which cannot in principle solve the stated problems.  An ID card does not now and cannot ever tell the authorities whether its holder intends to commit a terrorist act.  No unforgeable ID card can be produced, and if one could be produced, fraud would simply be refocused from attempts to counterfeit the card to attempts to subvert the issuance process to issue legitimate cards to the wrong people.  It is not clear that the US legal system could be bent to require people to carry and present cards in all situations of interest, and even if it could, many Americans would not want to live under the legal system which would be required.  And finally, of course, requiring the same card for lots of different high-value transactions makes the card itself a very high-value artifact, which makes the reward for counterfeiting the card very large, which makes it economically sensible to invest significant resources in developing equipment and techniques which can counterfeit the card....
2. The REAL ID act hands responsibility for solving a problem (terrorism and identity theft) to organizations (state DMVs) whose job does not involve solving these problems, who have no expertise in solving these problems, and who do not benefit in any way relevant to their own performance metrics from solving these problems.  It should be expected that states will implement the terms of the act grudgingly and ineffectively, as, from their point of view, there are only costs and no benefits.  Identity theft should be addressed by banks, not by the DMV.  Terrorism should be addressed by the state department, the defense department, and the police; not by the DMV.
3. The existence of single, federally mandated identifier for all US persons, required for all high-value transactions, will INEVITABLY create a host of secondary uses and a large number of unforeseen consequences.  Most of the secondary uses will work against individuals by denying them privacy protections and access to services.  Most of the unforeseen consequences will create risks for individuals and DMVs without involving any party who has the resources, expertise, and incentive to assume liability for losses or to mitigate risks.  I’ll go so far as to predict the first unforeseen consequence now: if this act is implemented, it will quickly be discovered that there is a large class of US Citizens who CANNOT BE IDENTIFIED in the way required by the act, because they lack the necessary documentation.  The system will then have to be modified to allow the rules to be broken for these people – and the alternative identification process thus created will become the first focus of identity thieves.

Blogger: Lori Rowland

This week SAP announced its acquisition of MaXware, a privately held identity management vendor located in Trondheim, Norway. The core of MaXware’s identity management offering is its user provisioning and virtualization capabilities. 

On the surface, this acquisition may seem nothing more than continued consolidation in the identity management (IdM) market. However, in reality this acquisition has deeper roots and may have a larger impact than expected. 

Those familiar with the applications side of the IT world know that SAP and Oracle have a long and colorful history. In the 90’s the PeopleSoft and SAP rivalry was at its peak. The vendor’s respective ERP applications were still evolving -- the products were differentiated feature-by-feature, module-by-module. Other players in the market included JD Edwards, Siebel, Hyperion, and a little company called Oracle (okay- maybe not so little, but it was much smaller than it is today). SAP had a stronghold on the European market while PeopleSoft sales were skyrocketing in North America.

As history has shown, the only thing consistent is change. Oracle began its buying frenzy in late 2004 with its acquisition of PeopleSoft. Since that time they have acquired JD Edwards, Siebel, and most recently Hyperion – virtually wiping out its competition with the exception of SAP. Today, Oracle and SAP dominate the enterprise application market. These vendors are differentiated not by product features but by strategy, vision, and peripheral components (e.g. services, middle-ware, security, audit, and identity management).

In 2006, Oracle entered the IdM market through the acquisition of Oblix, Octetstring, and Thor Technologies which offer access management/federation, virtual directory, and provisioning features respectively. Oracle Identity Manager is a component of Oracle’s Fusion Middleware product family. Oracle positions its IdM products as an “application-centric” solution.

SAP also made several acquisitions. In 2006, SAP acquired Virsa Systems, an enterprise application controls management vendor offering access control and separation of duties features for the ERP environment. Virsa has been re-branded SAP Governance, Risk, and Compliance (GRC) Access Controls. SAP GRC Access Controls is just one component of SAP’s GRC product family. 

In March, 2007 Oracle announced its GRC Suite which includes technologies acquired from Stellent, Inc. The rivalry between these vendors has begun to resemble a game of Battleship. SAP’s acquisition of MaXware representing a return fire on Oracle’s various IdM acquisitions. Both Oracle and SAP now have a GRC suite and an IdM offering. The interesting thing about this game of battleship is that so far no one has been wiped out.

At first glance, it appears that Oracle and SAP are merely firing shots at one another.  This is true to some degree. These vendors are each trying to bring added value to their core application and platform. The ERP business is the core business for these vendors. This is similar to Microsoft’s strategy – if customers buy peripheral components (MSWord) they are more likely to remain committed to the core platform (MS Windows, XP, etc.).  Peripheral components sustain the “cash cow.” 

SAP’s entrance to the identity management market does however change the dynamic beyond the existing rivalry with Oracle. The acquisition will have a direct impact on the identity management market. Exactly how the market will be impacted will remain somewhat unclear until SAP reveals its long-term identity management strategy and roadmap.

SAP’s acquisition of MaXware has potential to impact the identity management market in several different ways such as:

• Application-centric identity management becomes a reality. Oracle’s and SAP’s IdM offering will truly have tighter integration with their respective enterprise applications. Integrating with ERP applications will be simplified.

• Identity becomes an embedded component of enterprise applications. Enterprise applications become the trigger for identity events rather than just a consumer. This has been something that Burton Group has predicted for sometime. Both SAP and Oracle have the opportunity to make this happen.

• Identity as a service. Again this is something Burton Group has been promoting.  SAP has potential to influence identity as a service by combining its NetWeaver, SOA, standards, and identity strategies.

• Most obviously, SAP’s acquisition brings additional consolidation and competition to the IdM market.

This acquisition was probably not terribly surprising to those watching the IdM market. However, the game is not over. To be successful SAP must take the time to understand the needs of its customers (and potential customers) in the IdM market. Oracle and SAP both have the opportunity to truly impact and influence the services, IdM, security, and risk management markets while solidifying their competitive stance in the enterprise application space.