The prospect of loosely coupled and highly distributed Web services has made security – and, consequently, identity management – a major issue that all Web services players must address if they are to engender confidence among corporate and personal users.
Context: Identity management is an area that had been crying out for automation, but outside the mainframe world it was not a particularly hot area until the current fad for externalizing business processes to partners emerged. This, along with increasing adoption of enterprise portals and heightened security concerns, has increased the need for organizations to carefully control exactly who has access to which corporate resources and data. Most significantly, identity management is seen as a fundamental requirement for securing access to Web services.
Market overview: The main players in this space can be divided into two broad categories. On one side sit the operating system-centric vendors. Arguably, the most vocal of these is Sun Microsystems; the Sun ONE platform for Network Identity, launched earlier this year, is one of the most complete end-to-end identity management solutions on the market. This mixture of Sun hardware and software can manage up to 10,000 online identities inside the firewall, or up to 250,000 identities outside the firewall. Sun added identity management to the Sun ONE Portal Server 6.0 in July.
Sun is also a driving force behind the Liberty Alliance, an "open" movement founded in September 2001 to develop a technical specification for single sign-on, account federation and global logout for consumer and business users. The Liberty Alliance sports a roster of major players such as SAP, Visa, Cisco, Nokia, Hewlett-Packard, i2, EDS and RSA Security. Microsoft is also a major force in the single sign-on space with its Passport/.NET initiative, and it is currently trading blows with Sun about how these schemes should be managed.
Novell is also a player in the Liberty Alliance, and has made a play in the Web services directory market with its Project Destiny initiative, announced in July. This includes secure identity and access management to UDDI registries – using XML and SOAP technologies it acquired from SilverStream – dynamic identity to tailor identity information more closely to the specific service being requested, and federated trust.
Current trends: The network operating systems and their offspring all are somewhat logical starting points for identity management. But the broader systems management and pure-play vendors argue that they are not so strong at managing a truly heterogeneous environment.
One vendor leading the charge is IBM's Tivoli systems management unit, which made a major play in identity management in September when it acquired Access360 for an undisclosed sum. One of Tivoli's weakest points has been provisioning, and the acquisition of Access360 was designed to plug that hole, providing IBM with a comprehensive identity management offering by melding together access control, lifecycle management, metadirectories, provisioning and privacy management into a single system.
Other system players include Computer Associates and BMC Software, which has its Control-SA tools, with pure plays including Netegrity and NetIQ. RSA Security has also been making strides in this area, although for the time being it appears content to partner with identity management vendors to provide front-end access into its security policy tools. Although BEA Systems has been flexing its muscles as an application infrastructure player, it has so far resisted the urge to compete with its partners.
However, given the growing adoption of enterprise portals and continuing concerns over the security of Web services, we would not rule out any of the above players making new or further acquisitions to develop more rounded identity management and provisioning technologies.
Likely targets: Cupertino, Calif.-based Oblix has set out to be a leader in the identity management space and in providing a secure way to deploy and manage Web-based applications. With Oblix's flagship NetPoint product, enterprises can manage diverse applications, portals and custom applications and securely provide automated access to them. Oblix is already a close partner of BMC's, and the two have created IDLink, a technology that integrates NetPoint's COREid and BMC's Control-SA products. The result is that NetPoint becomes a single user interface for all user profile changes, including the creation, deletion and updating of users, among other things. Founded in 1996, Oblix has a well-qualified management team – CEO Gordon Eubanks was previously CEO of Symantec.
Rochelle Park, N.J.-based Business Layers was formed in 1999, and claims to have pioneered the directory-based provisioning software market. Reflecting the changing labor market, Business Layers has extended the emphasis of its eProvision Software from giving new employees access to digital resources to including non-employees such as temporary workers and contractors, as well as terminating access rights for departing employees. The company has raised over $50 million in financing from investors including Novell. Close partners include RSA Security, Netegrity and BMC Software.
Austin, Tx.-based identity security management specialist Waveset was founded by Tivoli refugees in early 2000, and has since raised over $30m in three founding rounds. It launched its flagship product, Lighthouse, in June 2001, and partners include RSA Security, Deloitte & Touche and PricewaterhouseCoopers. Uniquely, Lighthouse exploits standard interfaces such as LDAP and JDBC to centrally manage identity data stored in an array of applications.
Thor Technologies has been on the go since 1991 in the access rights and provisioning field, but raised $19m in July this year to fund an expansion strategy. The New York-based company's flagship product is Xellerate, an enterprise provisioning system that it says securely manages user access to corporate resources. The company's partner list also includes RSA Security, as well as Netegrity.
Framingham, Mass.-based Courion is another player with close links to RSA Security. It recently extended a previous agreement to enable 'end-to-end' provisioning for joint customers. Privately held Courion was founded in 1996 and has raised $18m in VC financing. It has developed a series of modules covering user account creation, password management, user profile management and digital certificate management, and focuses on self-service identity management.
Finally, Houston-based and Nasdaq-listed Bindview is best known for its bv-Control host-based vulnerability assessment software for the Microsoft platform. However, its bv-Admin product also provides security administration through role-based delegation of management responsibilities over platforms, directories and applications. It also recently unveiled a Password Self Service tool, a Web-based application that allows users to create their passwords and gain access to accounts, reducing the burden on system administrators.
These smaller players – Oblix, Waveset, Thor, Courion, Bindview – all have their USPs, but need to play their cards carefully to differentiate themselves from the major players that are also developing comprehensive capabilities.
The451 assessment: Identity management is only one piece of the Web services puzzle, but it is an increasingly important one. This is still an evolving market, and the dust has yet to settle. Customers will always be more wary of a smaller company – especially in areas such as security – and this makes it essential for the smaller players to partner with the more established vendors. Although some providers are partnering extensively to add such features, the early leaders are developing comprehensive offerings that include rich identity management and provisioning capabilities. We believe this trend could tempt other vendors to consider acquiring niche technologies to flesh out their own offerings.
the451 is an analyst firm that provides timely, detailed and independent analysis of news in technology, communications and media. To evaluate the service, click here.