This is an interesting wrinkle in an ever-changing market.  CA now possesses a preventive-controls engine with the ability [...]]]> Yesterday CA announced its acquisition of IDFocus,  a small Israeli company.  Among other abilities, IDFocus provides a finer-grained segregation of duty (SoD) analysis engine.  CA has previously integrated this engine into Identity Manager, their user provisioning tool.

This is an interesting wrinkle in an ever-changing market.  CA now possesses a preventive-controls engine with the ability to look further into the security stack of an application.  This engine allows customers to make SoD decisions below the role or group level, at the lower ACL/security object levels.  Provisioning vendors have until now done this by calling external services provided by Enterprise Application Controls Management (EACM) vendors.

On one hand, CA has partially obviated the need to integrate with an SAP, Oracle, or Approva by integrating the IDFocus capabilities into CA Identity Manager.  On the other hand, CA’s move may have made things more confusing for customers.  By increasing the number of controls repositories that a customer has to maintain, integration of IDFocus makes compliant provisioning deployments more challenging.  What would be really slick is if CA could find a way to work with the EACM vendors to synchronize SOD tests so that a customer could use the same test for both detective and preventive applications.

I was speaking on this very topic in Europe last week.  I commented on the various architectures for integrating EACM into user provisioning to provide compliant provisioning services.  (For more on this subject, check out Lori’s report on the matter.)  CA has now introduced a fourth deployment model in which the provisioning engine owns the entire compliant provisioning event from the request through the SoD test to the provisioning event itself. An interesting alternative. I’ll be curious to see where CA takes this.

(Originally post on Burton Groups’ IdPS blog.)

Since I don’t believe that ERM is an end in and of itself, I am more curious where the market and technology will go now that two “suite” [...]]]> Nishant, in a light hearted manner, took my post on Sun acquiring Vaau as a bit of a dare. This is how I responded to his comment:

Since I don’t believe that ERM is an end in and of itself, I am more curious where the market and technology will go now that two “suite” vendors have made acquisitions. If, by orchestrating some sort of challenge between Oracle and Sun to integrate and innovate, I can help move things along, then yes, by all means, consider it a challenge. Maybe the gang at Burton Group can referee this?

How vendors like Sun and Oracle integrate their ERM acquisitions will have a very tangible impact on the future direction of identity management. Both are in a position to unlock the true value of enterprise role management.

The step of integrating ERM in user provisioning is a no brainer, though it will be interesting to see how fast each vendor can do it. What is more interesting is the step beyond that. I started to ruminate on that before… guess we’ll have to wait and see what comes.

In the meantime, it would be great if someone like Kevin Kampman would weigh in on this.

The deal has been announced and will finally be done in November. Nobody is particularly surprised that Oracle is buying LogicalApps, least of all, us here at Approva. With this transaction Oracle will now have a controls automation tool needed to continue its fight with [...]]]> (The following is also available over at Approva’s Audit Trail.)

The deal has been announced and will finally be done in November. Nobody is particularly surprised that Oracle is buying LogicalApps, least of all, us here at Approva. With this transaction Oracle will now have a controls automation tool needed to continue its fight with SAP. Analysts, bloggers, and prospective customers have asked: where does this leave Approva and the answer is – exactly where we want to be: Approva remains the independent controls monitoring company – and the only one with the proven ability to work across applications, in multiple platforms and for any kind of control.

Oracle (and similarly SAP) are taking the approach of strongly tying and embedding their controls monitoring tools in their ERP packages. What’s wrong with this approach? It is fundamentally too limited in scope and vision. Yes, managing controls in ERP systems is critical, especially in a SOX world. But, a tool that scopes controls automation down to SoD analysis for a specific ERP package (and, for that matter, a specific version therein) can only provide a keyhole view and doesn’t truly serve the GRC needs of the enterprise. Since LogicalApps only addressed Oracle E-Business Suite, with this acquisition Oracle continues to neglect its red haired step children: PeopleSoft, JD Edwards, Hyperion, Siebel… where’s the controls love for them?

To say that governance, risk, and compliance (GRC) is an ill-defined piece of buzzword bingo may be the understatement of the last few years. If someone says they have a complete GRC platform to meet all enterprise needs, kindly escort them out of the building via the nearest window. The point is that we, vendors, service providers, and customers, are still feeling out what truly needs to be in a complete GRC solution set and over time “GRC” will continue to evolve before it solidifies into a commonly accepted set of capabilities. Accepting this limited definition of controls automation that ERP vendors are serving up will cost their customers and force them to reinvest over time. By definition, a constrained, embedded approach to controls automation is shortsighted. It cannot meet the future needs of GRC because it cannot adapt to other systems and other processes that will eventually fall under the controls monitoring umbrella.

Approva’s approach has been and will continue to be fundamentally different. By staying independent and ERP agnostic, while at the same time providing rich domain expertise in those ERP packages, we provide customers better controls monitoring capabilities than the ERP vendors. We do this not only in these ERP applications, but we also provide the ability to do so in any application. Furthermore, we do this for any kind of automate-able control, be it traditional authorization-related segregation of duty or any kind of business process that our customers and business partners dream up. And we do all of this without the premium or baggage associated with ERP vendors.

Freedom to monitor any kind of control. Freedom to leverage our deep domain expertise as well as that of our partners in the audit world. Yep, staying independent is all about freedom for Approva and it is this freedom we give to our customers – even Oracle’s red haired step kids. I may not know what the final definition of GRC will be, but I do know that Approva’s independent approach to controls monitoring will serve its customers better than any controls monitoring tool shackled to just a single ERP package.

Let’s consider than Access360 and Waveset had estimated price tags of roughly $100 million. [...]]]> If the 451 Group got it right (as reported in this Dark Reading article), then the bar has just been set for Enterprise Role Management buyout deals. $35 million. $35 million? I can’t tell if that number is high or low.

Let’s consider than Access360 and Waveset had estimated price tags of roughly $100 million. Are we to imply that role management market should be sized at roughly a third of the overall provisioning market?  That I doubt.

The question that I am pondering is – who in the company derives the most value from an ERM deployment? HR? IT operations? IT ops derives value from role mining as it deploys user provisioning. HR can definitely get something out of top-down role lifecycle functions. But in both cases, to unlock that derived value, the company needs another technology to act as a proxy for role technologies. It is hard to derive the value of role mining without a user provisioning system. It is hard to derive value from top-down role lifecycle management without… an HR system.

And maybe that’s it. If this is true, and Oracle bought Bridgestream, then Oracle’s strategy is a three staged one. First, augment Oracle Identity Manager with traditional role management and mining functions. Provide strong capabilities to tie business roles to IT roles. Provide role mining capabilities.  Second, use Bridgestream’s enterprise/business role capabilities to augment Oracle’s numerous HR systems. PeopleSoft HR + Bridgestream = a very interesting combination. Third, continue to make good on the promise of tying ERP to IdM. If Fusion HR could publish dynamic business definitions (containing roles and organization structures) that OIM could tap, then Oracle customers would be well on their way to becoming more governable organizations.

Let’s see if after Labor Day there is any truth to this rumor.