CA’s Acquisition of IDFocus

Yesterday CA announced its acquisition of IDFocus,  a small Israeli company.  Among other abilities, IDFocus provides a finer-grained segregation of duty (SoD) analysis engine.  CA has previously integrated this engine into Identity Manager, their user provisioning tool.

This is an interesting wrinkle in an ever-changing market.  CA now possesses a preventive-controls engine with the ability to look further into the security stack of an application.  This engine allows customers to make SoD decisions below the role or group level, at the lower ACL/security object levels.  Provisioning vendors have until now done this by calling external services provided by Enterprise Application Controls Management (EACM) vendors.

On one hand, CA has partially obviated the need to integrate with an SAP, Oracle, or Approva by integrating the IDFocus capabilities into CA Identity Manager.  On the other hand, CA’s move may have made things more confusing for customers.  By increasing the number of controls repositories that a customer has to maintain, integration of IDFocus makes compliant provisioning deployments more challenging.  What would be really slick is if CA could find a way to work with the EACM vendors to synchronize SOD tests so that a customer could use the same test for both detective and preventive applications.

I was speaking on this very topic in Europe last week.  I commented on the various architectures for integrating EACM into user provisioning to provide compliant provisioning services.  (For more on this subject, check out Lori’s report on the matter.)  CA has now introduced a fourth deployment model in which the provisioning engine owns the entire compliant provisioning event from the request through the SoD test to the provisioning event itself. An interesting alternative. I’ll be curious to see where CA takes this.

(Originally post on Burton Groups’ IdPS blog.)

Oracle buys LogicalApps: Redux

Lori Rowland has posted an examination of the state of market given Oracle’s acquisition of LogicalApps. Her analysis of the impact of this acquisition to us independent controls management companies mirrors some of my thoughts on the matter. There was one thing that caught my eye. Lori writes:

There are obvious benefits to implementing Oracle and SAP’s controls management solutions to manage the respective environments. Who knows SAP SOD policies or sensitive transactions better than SAP, right?

Maybe not. I posit that the audit community (both internal and external auditors) have a better sense for what constitutes an SoD violation in their business context than ERP vendors do. Clearly, the ERP vendors know, from a functional stand-point, what each transaction and function does in their products. This enables them to build the “well, duh” SoD policies such as “flag everyone with SAP_ALL.” The “well, duh” SoD policies are the just the ante to play in the controls monitoring game. The meaningful, high value SoD policies come from the audit community and their years of lessons learned working across multiple industry verticals globally. It has yet to been if the ERP vendors will truly cater to this community’s needs. It is the greater audit community that Approva has sought to serve since day one and we’ll continue to do so. Viva independence!