Posted October 8th, 2008
Yesterday CA announced its acquisition of IDFocus, a small Israeli company. Among other abilities, IDFocus provides a finer-grained segregation of duty (SoD) analysis engine. CA has previously integrated this engine into Identity Manager, their user provisioning tool.
This is an interesting wrinkle in an ever-changing market. CA now possesses a preventive-controls engine with the ability to look further into the security stack of an application. This engine allows customers to make SoD decisions below the role or group level, at the lower ACL/security object levels. Provisioning vendors have until now done this by calling external services provided by Enterprise Application Controls Management (EACM) vendors.
On one hand, CA has partially obviated the need to integrate with an SAP, Oracle, or Approva by integrating the IDFocus capabilities into CA Identity Manager. On the other hand, CA’s move may have made things more confusing for customers. By increasing the number of controls repositories that a customer has to maintain, integration of IDFocus makes compliant provisioning deployments more challenging. What would be really slick is if CA could find a way to work with the EACM vendors to synchronize SOD tests so that a customer could use the same test for both detective and preventive applications.
I was speaking on this very topic in Europe last week. I commented on the various architectures for integrating EACM into user provisioning to provide compliant provisioning services. (For more on this subject, check out Lori’s report on the matter.) CA has now introduced a fourth deployment model in which the provisioning engine owns the entire compliant provisioning event from the request through the SoD test to the provisioning event itself. An interesting alternative. I’ll be curious to see where CA takes this. Continue reading "CA’s Acquisition of IDFocus"...
Posted January 14th, 2008
A while back I had commented on consolidation in the role management world. As I have said before, from product management and marketing perspectives, integrating a role management tool into an existing identity management suite is a no-brainer. This is not to say that the implementation and deployment are no-brainers as well – so don’t get too excited Greg  What is more interesting is where major vendors like Oracle and Sun will take enterprise roles management.
I had also mentioned that it would be great for Kevin Kampman of Burton to weigh in on the subject, and sure enough, he did. I am intrigued by his concept of “return on organization.” But to see this return it first requires identity management vendors to share this value proposition with the parts of the enterprise that really care; it forces IdM vendors to sell to “the business.” Making identity management truly relevant to the entire business has always been one of IdM’s challenges. Role management does present a new way of taking older topics to a new audience but I wonder if potential customers are ready to hear it.
Posted December 4th, 2007
Nishant, in a light hearted manner, took my post on Sun acquiring Vaau as a bit of a dare. This is how I responded to his comment:
Since I don’t believe that ERM is an end in and of itself, I am more curious where the market and technology will go now that two “suite” vendors have made acquisitions. If, by orchestrating some sort of challenge between Oracle and Sun to integrate and innovate, I can help move things along, then yes, by all means, consider it a challenge. Maybe the gang at Burton Group can referee this?
How vendors like Sun and Oracle integrate their ERM acquisitions will have a very tangible impact on the future direction of identity management. Both are in a position to unlock the true value of enterprise role management.
The step of integrating ERM in user provisioning is a no brainer, though it will be interesting to see how fast each vendor can do it. What is more interesting is the step beyond that. I started to ruminate on that before… guess we’ll have to wait and see what comes.
In the meantime, it would be great if someone like Kevin Kampman would weigh in on this.
Posted October 11th, 2007
(The following is also available over at Approva’s Audit Trail.)
The deal has been announced and will finally be done in November. Nobody is particularly surprised that Oracle is buying LogicalApps, least of all, us here at Approva. With this transaction Oracle will now have a controls automation tool needed to continue its fight with SAP. Analysts, bloggers, and prospective customers have asked: where does this leave Approva and the answer is – exactly where we want to be: Approva remains the independent controls monitoring company – and the only one with the proven ability to work across applications, in multiple platforms and for any kind of control.
Oracle (and similarly SAP) are taking the approach of strongly tying and embedding their controls monitoring tools in their ERP packages. What’s wrong with this approach? It is fundamentally too limited in scope and vision. Yes, managing controls in ERP systems is critical, especially in a SOX world. But, a tool that scopes controls automation down to SoD analysis for a specific ERP package (and, for that matter, a specific version therein) can only provide a keyhole view and doesn’t truly serve the GRC needs of the enterprise. Since LogicalApps only addressed Oracle E-Business Suite, with this acquisition Oracle continues to neglect its red haired step children: PeopleSoft, JD Edwards, Hyperion, Siebel… where’s the controls love for them? Continue reading "Oracle buys LogicalApps: Approva Remains the Land of Freedom"...
Posted August 31st, 2007
If the 451 Group got it right (as reported in this Dark Reading article), then the bar has just been set for Enterprise Role Management buyout deals. $35 million. $35 million? I can’t tell if that number is high or low.
Let’s consider than Access360 and Waveset had estimated price tags of roughly $100 million. Are we to imply that role management market should be sized at roughly a third of the overall provisioning market? That I doubt.
The question that I am pondering is – who in the company derives the most value from an ERM deployment? HR? IT operations? IT ops derives value from role mining as it deploys user provisioning. HR can definitely get something out of top-down role lifecycle functions. But in both cases, to unlock that derived value, the company needs another technology to act as a proxy for role technologies. It is hard to derive the value of role mining without a user provisioning system. It is hard to derive value from top-down role lifecycle management without… an HR system.
And maybe that’s it. If this is true, and Oracle bought Bridgestream, then Oracle’s strategy is a three staged one. First, augment Oracle Identity Manager with traditional role management and mining functions. Provide strong capabilities to tie business roles to IT roles. Provide role mining capabilities. Second, use Bridgestream’s enterprise/business role capabilities to augment Oracle’s numerous HR systems. PeopleSoft HR + Bridgestream = a very interesting combination. Third, continue to make good on the promise of tying ERP to IdM. If Fusion HR could publish dynamic business definitions (containing roles and organization structures) that OIM could tap, then Oracle customers would be well on their way to becoming more governable organizations. Continue reading "Oracle buys Bridgestream?"...
|
|
what others say