From account management to user provisioning and identity management

The administrative effort to reliably manage users, their credentials, and their rights has been a hot topic in IT for a long time. GUIDE, formed in 1954 (just 2 years after IBM sold its first mainframe), established a project in 1974 to examine data management and security requirements. In 1976, IBM released the first version of the Resource Access Control Facility (RACF). Along with ACF2 and TopSecret (both now marketed by CA), RACF allowed mainframe security administrators to define and enforce policies, rather than simply defining permissions.

By comparison, the rise and rapid rise to the domain of distributed platforms, particularly Windows and Unix, saw a plethora of proprietary and incompatible mechanisms for managing users.

The early provisioning vendors were mostly first-tier network and systems management vendors (BMC, CA, IBM Tivoli). They started with significant advantages. First, their presence in the mainframe market exposed them to effective and mature (albeit largely manual) processes for user management that are widely found in mainframe stores built around RACF, ACF2, or TopSecret. Second, his experience in creating systems and network management solutions provided insights into the development of reliable messaging and agent technology (store and forward), the vital “pipeline” for a provisioning engine. These early attempts put an emphasis on centralized and consistent manipulation of credentials on target systems.

For example, CA launched its first provisioning solution in 1997. The solution was designed as an extension of CA’s flagship network and systems management family, Unicenter, and was released under the name Unicenter Directory Management Option (DMO). Following CA’s acquisition of Platinum, DMO was relaunched as a standalone product under the name eTrust Admin in 2000.

The second wave of sourcing products came from specialized vendors (Business Layers, Access 360, Waveset, Thor) and was characterized by the use of web technology and the adoption of configurable workflow-based approval processes. They also initially had limited coverage for connectors (and some connectors had limited capabilities). At the time of CA’s acquisition of Netegrity in 2005, Identity Minder -eProvision (formerly the Business Layers Day One product) was still licensed to use the connectors from BMC’s Control-SA product.

However, these new capabilities proved to be prerequisites for delegated administration and user self-service. This then led to a series of acquisitions, with Netegrity joining CA, Access 360 joining IBM, Thor joining Oracle and Waveset joining Sun. Netegrity brought two different offerings to the party, Identity Minder (web-based management for Siteminder deployments) and eProvision (the old Business Layers product). The second-generation CA product was built by integrating Netegrity’s Identity Minder with CA’s eTrust Admin. The eProvision developers left CA to form a new company, IDFocus, which developed add-ons for Identity Manager implementing the best eProvision features that were still missing from the CA product. CA finally acquired IDFocus in late 2008 and merged the two development teams. BMC acquired a directory management product (Calendra) in 2005 to add missing elements of workflow and graphical interfaces.

The current race for identity management vendors is to integrate role mining and role management capabilities into their solutions. First, Oracle acquired Bridgestream, then Sun acquired VAAU with its RBACx product. Finally, in late 2008, CA acquired Eurekify. Meanwhile, IBM released its first (in-house developed) feature engineering capabilities in its Tivoli Identity Manager product in late 2009. More recently, following Oracle’s acquisition of Sun, it was announced that the old VAAU RBACx product will be upgraded to be called Oracle Identity Analysis.

So where does it go next? It goes without saying that major vendors still have a lot to do to improve integration and eliminate duplication between the multiple components from which their products are built. However, there is a growing understanding that real-world identity management implementations will have to build from multi-vendor solutions. Renewed activity around mergers, acquisitions and divestitures will drive this strategy. The cost, time, and risk of replacing one vendor’s IdM products with another’s will prove to be completely unacceptable to the business. Therefore, vendors will have to take interoperability seriously. Perhaps this is the catalyst for a renewed interest in open standards, such as SPML and DSML. Enterprise directories have matured from directory-centric networks to an unglamorous (but still vital) low-level infrastructure, but DSML has never really taken off, despite being adopted by OASIS in 2002. Interoperability is favored when directories (the only source of truth for an IdM system) are capable of exchanging updated information autonomously.

The current generation of identity management solutions can provide the technology platform for the most ambitious identity management programs, although those programs are still long and fraught with risk. The emerging challenge will be to enable a similar solution, delivered to multiple clients as part of a managed service or public cloud offering.

Leave a Reply

Your email address will not be published. Required fields are marked *