From Account Management to User Provisioning to Identity Management

The administrative effort of reliably managing users, their credentials and their entitlements has been a hot topic in IT for a very long time. GUIDE, formed in 1954 (just 2 years after IBM sold their first mainframe computer), established a project in 1974 to examine the requirements for Security and Data Management. In 1976, IBM released the first version of Resource Access Control Facility (RACF). Together with ACF2 and TopSecret (both now marketed by CA), RACF allowed mainframe security administrators to define and enforce policies, rather than just define permissions.

By comparison, the emergence and rapid climb to dominance of distributed platforms, particularly Windows and Unix, saw a plethora of proprietary and incompatible mechanisms for managing users.

The earliest provisioning vendors were mostly top tier network and systems management vendors (BMC, CA, IBM Tivoli). They started with important advantages. First, their presence in the mainframe market exposed them to effective and mature (though largely manual) processes for user administration widely found in mainframe shops built around RACF, ACF2 or TopSecret. Secondly, their experience in building network and systems management solutions brought expertise in development of agent technology and reliable (store and forward) messaging, the vital "plumbing" for a provisioning engine. These first attempts placed emphasis on centralised, consistent manipulation of credentials on target systems.

For example, CA released their first provisioning solution in 1997. The solution was designed as an extension to CA's flagship Unicenter networks and systems management family, and released under the name Unicenter Directory Management Option (DMO). Following CA's acquisition of Platinum, DMO was relaunched as a standalone product under the name eTrust Admin in 2000.

The second wave of provisioning products came from niche vendors (Business Layers, Access 360, Waveset, Thor) and were characterised by their use of web technology and the adoption of configurable workflow-based approval processes. They also initially had limited coverage for connectors (and some connectors had limited capabilities). At the time of the CA acquisition of Netegrity in 2005, Identity Minder -eProvision (formerly the Business Layers Day One product) was still licenced to use the connectors from BMC's Control-SA product.

These new capabilities however proved to be pre-requisites for delegated administration and user self-service. This then led to a rash of acquisitions, with Netegrity joining CA, Access 360 joining IBM, Thor joining Oracle and Waveset joining Sun. Netegrity brought two distinct offerings to the party, in Identity Minder (web based administration for Siteminder deployments) and eProvision (the former Business Layers product). The 2nd generation CA product was built by integrating Netegrity's Identity Minder with CA's eTrust Admin. The eProvision developers left CA to form a new company IDFocus, which developed add-ons for Identity Manager implementing the best features of eProvision which were still missing from the CA product. CA eventually acquired IDFocus in late 2008 and merged the two development teams. BMC acquired a directory management product (Calendra) in 2005 to add the missing elements of workflow and graphical interfaces.

The current race for the Identity Management vendors is to integrate role mining and role management capabilities into their solutions. First, Oracle acquired Bridgestream, then Sun acquired VAAU with their RBACx product. Finally in late 2008, CA acquired Eurekify. Meanwhile, IBM released their first role engineering capabilities (developed in-house) in their Tivoli Identity Manager product in late 2009. More recently, following the acquisition of Sun by Oracle, it has been announced that the former VAAU RBACx product will be rebranded as Oracle Identity Analytics.

So, where next? It goes without saying that all the major vendors still have much to do to improve integration and remove duplication between the multiple components from which their products are built. However, there's a growing realisation that real-world deployments of identity management will have to be built from multi-vendor solutions. Renewed activity around mergers, acquisitions and divestments will drive this strategy forward. The cost, time and risk of replacing one vendor's IdM products with another's will prove to be completely unacceptable to the business. So, vendors are going to have to address interoperability seriously. Perhaps this will be the catalyst for renewed interest in open standards, such as SPML and DSML. Enterprise directories have matured from the over-hyped of directory-centric networks to unglamorous (but still vital) low level infrastructure but DSML has never really taken off, despite being adopted by OASIS in 2002. Interoperability is aided when directories (the single source of truth for an IdM system) are able to exchange updated information autonomously.

The current generation of Identity management solutions can provide the technology platform for the most ambitious identity management programmes, although those programmes remain lengthy and full of risks. The emerging challenge will be to enable a similar solution, delivered to multiple customers as part of a managed service or public cloud offering.

More Here