Saturday, March 29, 2008

Passlogix responds to the IBM situation

There's been many a discussion around the IBM acquisition of Encentuate and what it means. I wrote about it here, here, here and here. I've also received a few emails discussing the issue (mostly with my IBM mates). I've presented the IBM view and an unofficial (albeit tongue in cheek) Oracle view (thanks to Nishant Kaushik). The obvious missing link here is Passlogix's view.

Earlier this week, I received an email from a senior member of Passlogix's management team to open up a discussion and also to clarify their position. One of the topics of conversation centred around one of my posts and specifically my statement:

If you "upgrade" from ITAM ESSO to Passlogix v-GO or Oracle's OEM version of v-GO, you will have to buy the product again. Your IBM licenses will not carry over, unless Passlogix and/or Oracle get very aggressive and agree to "upgrade" your deployment and waive the software costs

The next few paragraphs in orange summarise my understanding (not a direct quote, so it includes some of my commentary) of Passlogix's position.

Passlogix's response is that they are working with every customer running IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO) 6.0 (the current version and OEM of Passlogix v-GO) to give them options moving forward and to help give them a choice. They will also honour the existing maintenance contracts that IBM has in place, and if the customer chooses to have Passlogix support them directly, there will be no additional charges to do so.

Passlogix also completely agree with my point that upgrading from ITAM ESSO 6.0 (Passlogix v-GO OEM) to ITAM ESSO 7.0 ("blue rinsed" Encentuate) will be a real pain in the behind because it's a "rip and replace". They make mention of the fact that v-Go is an "infrastructure free/event driven technology" and Encentuate is "server based/script driven". I can't confirm that Encentuate is indeed server based and script driven because I have never seen it in action. If it is, then it will be very painful migrating between the 2 approaches. As an aside, I should point out that it's not surprising that they agree! It helps them keep existing customers. I'm sure every single Passlogix employee is being told to say this. Unfortunately for IBM, I'm right. So IBM, you're going to need to work VERY hard to make it worthwhile for a customer to move to ITAM ESSO 7.0.

One last thing that Passlogix would like to remind us is that if you're the type of organisation that MUST evaluate technology before you can implement it, you'll also have to put up with that pain (as will IBM) before you can migrate to ITAM ESSO 7.0.

IBM will obviously tell you that you do not need to evaluate anything and that it should be treated as an upgrade. How you choose to view it is completely your call. Just be aware that these are the 2 differing views and whichever you pick will have implications for your migration or upgrade plan.

At this point in time, here are your choices:
  1. Upgrade to ITAM ESSO 7.0 when it comes out - No additional software license, maintenance or support costs (unless your maintenance contract is expiring). Lots of services pain. Who pays for the services? If IBM doesn't wear most of it, they aren't trying hard enough.
  2. Move to Passlogix - No additional software license, maintenance or support costs (unless your maintenance contract is expiring). Services pain will probably be minimal if any. If you have other IBM Tivoli Security products deployed however, keep in mind that future integration points will probably be released for ITAM ESSO 7.0 ("blue rinsed" Encentuate) before Passlogix get a chance to write their integration pieces by virtue of the fact IBM will generally build their integration pieces between internal products first (not always, but this is almost always true within the same IBM product suite). I'm pretty sure Passlogix will continue to support integration between v-GO and the IBM Tivoli products, but they will just be slower in getting them released. There's not a lot Passlogix can do about it of course because they will only be able to build integration pieces into IBM products by working with IBM (unless they wait for APIs to be published, which will make it even slower).
  3. Move to Oracle - They'll charge you for the software, maintenance and support (does someone from Oracle want to email me to tell me that you won't?). Services pain will probably be minimal if any. If you have other IBM Tivoli Security products deployed however, this is not a smart choice unless you are ready to throw IBM out and replace your whole Identity and Access Management infrastructure with Oracle.

More on this WAM thing

My last post generated more interest than I initially expected. I guess it's one of those dormant issues that people have come to accept because it's just how the large vendors sell their Web Access Management (WAM) products (i.e. software).

I asked a few questions in a couple of sections and P2 Security's CTO, Jeff Gresham has responded by way of a comment. For those of you reading this via the RSS Feed and don't feel like clicking through, I'll repost it here:


We appreciate your interest in our maXecurity product line.

The technology team at P2 Security has been deploying conventional Web Access Management solutions at medium to large enterprises for the better part of a decade. It was our experience with deployment, maintenance and compliance issues that motivated us to develop our appliance-based maXecurity solution.

With maXecurity, we have adopted a "fewer moving parts" philosophy, and have collapsed the conventional three layer architecture (web agents or proxies + policy servers + policy store) to a two layer architecture (proxy appliances + policy store). We see this as a distinct advantage in terms of hardware cost, as well as deployment and maintenance effort, all of which translate to a lower total cost of ownership for our customers. Since a maXecurity solution includes hardware, customers are not required to acquire and deploy any additional hardware or software for a policy server layer. Also, no OS-level system administrators are required to maintain Unix- or Windows-based policy servers. Between hardware and IT staff, we have observed large enterprises (with 100s of thousands of users and hundreds of protected web applications) spending millions of dollars per year on WAM policy servers. By eliminating the policy server layer, these costs can be avoided, with the resulting savings allowing customers to achieve ROI in a matter of months.

With regard to your question: " [do] they manage security policies when someone decides to buy more than 1 appliance," maXecurity appliances are grouped into clusters that share the same policy configuration. All policy information is maintained in a centralized LDAP policy store. Policy changes are made from any appliance, written to the policy store, and all other appliances in the same cluster will detect the changes in the policy store and enforce them locally. Any combination of maXecurity Basic (500 users), maXecurity Pro (5000 users) and maXecurity Enterprise (50000 users) appliances can make up a cluster, allowing a maXecurity infrastructure to scale from the smallest to the largest enterprise.

I hope that I've addressed your questions regarding our maXecurity product line.

Jeff Gresham
Chief Technology Officer
P2 Security LLC"

There is some truth to what he says. Of course, it doesn't mean it is any easier to manage from an overall standpoint. I maintain that it is still a point solution for those that have a specific need to address their Web Access Management problems.

Thursday, March 20, 2008

Why did it take this long for someone to build a Web Access Management appliance?

Many IBM Tivoli (and ex-IBM Tivoli) people have been saying for years that IBM Tivoli Access Manager's WebSEAL component should be an appliance, not a piece of software you have to install. For those not familiar with IBM Tivoli's security products, WebSEAL is the web proxy that typically sits in the DMZ of your network and performs the authentication and authorisation for your Web applications. I won't go into a sales pitch about why that's a good thing. If you really want to know, ask your local IBM sales rep or send me an email via the contact form on this blog and I'll get back to you.

For one thing, an appliance will generally perform better. Extremely handy when it's the front door into your enterprise web environment. IBM will not disagree because they have an appliance product doing what WebSEAL does, but for Web Services. It's called WebSphere Datapower, which was technology IBM bought via the acquisition of Datapower in 2005. The specific appliance I'm referring to is the XS40, which I also had to know about for some time until IBM finally decided to stick it once and for all under the WebSphere brand. To be fair, it does have integration points into IBM Tivoli Federated Identity Manager so all you IBM security people shouldn't be ignoring it.

It's also become somewhat of a commodity. Every major vendor has one, calls it "Access Manager", delivers it on a CD (meaning it's software) and all have very similar core functions. They are just architecturally different. I suppose it wasn't worth the effort to make it an appliance even though it made sense. All these "Access Manager" products have been selling just fine as software components.

I've been catching up on my news items (when am I ever not) and stumbled upon these guys. They are P2 Security and have built exactly what I've just described. An appliance that does Web Access Management. They even have a comparison matrix against the big vendors, which by the way isn't exactly accurate. I already see some "crosses" against IBM that I know should be "ticks".

The one beef I have with this appliance from P2 Security is that they count having a policy server as being a negative (see the comparison matrix). I don't see why that is the case? They may argue that it presents management overhead. Sure, but I don't see any mention within their collateral of how they manage security policies when someone decides to buy more than 1 appliance.

If you are in the security game, you know it's a pain in the behind to have to change security policies (or any policies for that matter) in multiple places. Are they saying that if you have multiple appliances, each time you change the policies on one of them, you have to do it for the others? It may be tolerable if it's a simple policy change, but security policies are not usually simple when it comes to authorisation (aka entitlements, although in this case I don't think the appliance can get fine-grained enough to qualify as doing any real entitlement management). Any decent technology company will have an answer for my question, so perhaps they've already thought this through. I just can't find it on the site (maybe I'm not looking hard enough, but it's late so give me a break).

The main point to make here however, is that it remains a point solution. Useful if you are a small organisation that only wants to do Access Management for your web applications, but if you want a more coherent and integrated Identity and Access Management solution, you should probably go for one of the large suite vendors. That said, I applaud P2 Security for delivering what many have been asking for (but vendors have not bothered to build because the ROI on the effort didn't make sense).

Of course, they are a perfect target for acquisition by an Identity Vendor without an access management product. Did I hear someone say Courion?

Monday, March 17, 2008

Yes they're still talking to me

In my last post, I jokingly wondered if my mates at IBM were still talking to me. Thankfully, they are. *Phew*.

A few sent me messages pretending (at least that's what I assumed) to disown me as a friend/acquaintance, and then assured me that IBM understand what they've just done and as I expected, will be doing everything they can to minimise the pain for their existing IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO) customers.

Of course, that's exactly what you would expect IBM to do and say. As existing ITAM ESSO customers, you just have to make sure they follow through :-)

Saturday, March 15, 2008

I wonder if my ex-IBM colleagues will still speak to me

My thoughts regarding the IBM acquisition of Encentuate have been drawing quite a bit of traffic, so I guess it's a topic of interest this week.

Nishant Kaushik, Oracle's Architect for Identity Management Products gives his views on the whole thing including cheekily quoting me. I know it's all in good fun, so I'll respond in the same spirit...although I should ask if they've given him a new role as a member of the sales team? :-) Yes yes I know, the people in the product management/architecture team are evangelists by default, so they have a responsibility to help sell/evangelise their products.

He pinpoints my comments that the upgrade from IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO) 6.0 (the current version and OEM of Passlogix v-GO) to version 7.0 (the "blue-rinsed" version of Encentuate) is a "rip and replace". He suggests (tongue in cheek) that instead of going through the pain of upgrading to ITAM ESSO 7.0, customers should "upgrade" to Oracle's OEM version of Passlogix v-GO, the Oracle Enterprise Single Sign-On suite, because it'll be much easier moving forward and...
"could save many an enterprise many a headache."

While that's true in theory, customers could also go the direct route to Passlogix and just upgrade to the next version of v-GO. It's the same product with a different skin. I'm not saying I have a preference for Passlogix over Oracle. I'm just saying you have a choice.

Before you go rushing off and telling IBM where to shove their Encentuate product, the first question you need to ask yourself is, "do I have any other IBM Tivoli security products deployed?" In most cases, the answer will be "yes". If you do, the smart thing to do is to stay calm. Because if you have already invested in other IBM Tivoli security products, it's going to cost you a heck of a lot more to "upgrade" them to Oracle's versions. A "rip and replace" of your core Identity and/or Access Management infrastructure is going to be 1,000,000 times more painful than a "rip and replace" of your ESSO solution. If you only have ITAM ESSO, then maybe you can consider the "upgrade" to Oracle or Passlogix because you aren't as heavily invested in the IBM Tivoli technology. But I know IBM, and I know they will do their utmost to ensure they don't lose their valued customer base...especially over something like a strategic acquisition. I just hope IBM understands the position they have put their existing ITAM ESSO customers in by acquiring Encentuate and do everything possible to minimise the pain (IBM, please don't say "eliminate the pain" because that would just be lying, aka marketing).

Here's more food for thought, especially if ITAM ESSO is the only thing you have implemented from IBM Tivoli. If you "upgrade" from ITAM ESSO to Passlogix v-GO or Oracle's OEM version of v-GO, you will have to buy the product again. Your IBM licenses will not carry over, unless Passlogix and/or Oracle get very aggressive and agree to "upgrade" your deployment and waive the software costs (there's a thought for the sales management team in Oracle and Passlogix, assuming the latter feels like testing their already tenuous relationship with IBM)(UPDATE: Passlogix have responded to me via email in relation to their position. I have written a new blog entry addressing this). IBM will not charge you to upgrade to ITAM ESSO 7.0 if you already have 6.0 and your yearly support and maintenance haven't lapsed. That's just business as usual (assuming IBM haven't changed the policy since I left). The only cost you will likely have to incur as I said before, are the services costs (and any internal, intangible costs to business productivity because of the need to upgrade). If IBM want to keep customers happy, they'll need to somehow subsidise these additional costs. Charging customers the usual fees will not go down well. Remember, Oracle and Passlogix are just waiting in the wings and would like nothing better than to "upgrade" your customer.

So there's the choices as I see them. As a customer, you are actually sitting in a position of power at the moment. You just have to wear the pain of the potential "rip and replace" from ITAM ESSO 6.0 to whatever you choose as the "upgrade". IBM will be nice to you because they want you to upgrade to version 7.0. Oracle and Passlogix (I shouldn't count Sun, BMC, RSA or any other company Passlogix has "gotten under the sheets with" out of the equation here) will want to displace IBM from your environment. Just work out what's best for your organisation in the longer term after careful consideration.

As for my ex-IBM colleagues, the last I checked they were still talking to me, taking my calls and answering my emails. In fact, I know some of them subscribe to this blog (hi guys!). But if any of their existing customers read my previous post (or even this one), they may be getting some irate phone calls asking what IBM is going to do to help them upgrade painlessly and possibly getting yelled at for selling them a product that is essentially about to be "decommissioned" by IBM.

Sorry guys. I'm just telling it like it is ;-)

Friday, March 14, 2008

A bit more on the IBM acquisition of Encentuate

My previous post talked about the IBM acquisition of Encentuate. After writing it, I realised that I hadn't come across Encentuate's technology in the past apart from reading about them in news stories and being given awards. At least nothing I would call "quantifiable experience". So I did some digging and read some data sheets and whitepapers. I also had a look around the web to see what else was out there. Most of the things I found were people and news publications re-publishing the press release word for word or paraphrasing slightly with a couple of exceptions.

Information week has a nice article written by Charles Babcock that says a little bit more and makes a very good point. It points out that a large number of Encentuate's customers include organisations from the health care industry, an area where IBM Tivoli security has not had a good track record. I know this to be a fact. I rarely ever saw customers in the heath care industry during my IBM tenure and IBM Tivoli security worldwide has very few customer references in this area. Traditionally, IBM Tivoli's customers have been financial institutions and government organisations. Bringing Encentuate into the Tivoli family gives them a foot in the door to quite a number of heath care organisations that would otherwise have gone and bought an IBM competitive product.

John Fontana over at Network World also chimed in and mentioned that "IBM said Version 7.0 of its Tivoli Access Manager Enterprise Single Sign-On, which is expected to ship this fall, will be the first IBM-branded incarnation of Encentuate Single Sign-on." I alluded to this in my previous post, so it's nice to see IBM confirming it.

I also came across Gartner's good old Magic Quadrant for Enterprise Single Sign-On, 2007 which I believe is the most recent one (I didn't know they made their more recent reports freely available, but that's not the main point here). After looking at where both Passlogix and Encentuate were in the Magic Quadrant, I went straight to the section where Gartner addresses the strengths and weaknesses (they call this "Cautions") of each Vendor.

Here's what they say about Passlogix:
  • Passlogix greatly leveraged its reseller relationships with IBM and Oracle this past year. It also made a deal with RSA to gain RSA Sign-On Manager customers. (Sign-On Manager was a modified OEM version of Passlogix v-GO.) Through this deal, Passlogix also obtained a tighter, more-streamlined integration of RSA SecurID to v-GO implementations.
  • Passlogix has a number of very large implementations, some with more than 100,000 users, and this year it added HSBC, one of the world's largest banking and financial services organizations.
  • v-GO's architecture is two-tiered, with credentials capable of being stored in a variety of back-end directories. Redundancy is predicated on the customer's directory implementation. Passlogix's sign-on automation is wizard- and parameter-based, so no scripts are used. Clients report that most applications can be integrated easily out of the box.
  • Stronger authentication support is good and is implemented using Passlogix's add-on Authentication Manager product.
  • Good, shared-workstation support comes with the add-on Session Manager product. Passlogix supports integration with various provisioning products using its add-on Provisioning Manager. It also provides an SSPR tool focused on the network password used for primary authentication for ESSO.
  • Passlogix's internal support staff is relatively small, as compared with other larger vendors and given its growing customer base. Passlogix must leverage its resellers to provide support while still providing responsive code patch/fix support as problems are uncovered.
  • Reporting and auditing capabilities are provided through third-party tools.
  • Passlogix's standard pricing is one of the highest in this arena, when adding SSPR, stronger authentication support, and shared-workstation and provisioning support to the base-product purchase.
  • Some target systems can be difficult to integrate and will require additional time.

Here's what they say about Encentuate:
  • Encentuate was founded in 2001 and is currently an ESSO pure-play vendor. Overall, Encentuate has a very good product set that customers like and a high rate of out-of-the-box integration with target systems.
  • Encentuate is the only vendor to provide access to all types of applications through a Web browser and without requiring the SSO client to be implemented on the workstation. The use of a virtual private network client is recommended for remote access from outside the network.
  • The Encentuate product set integrates with a good set of stronger authentication options and includes a unique product called iTag. This is a passive proximity/radio frequency ID reader with a tag that can be affixed to anything the user carries (often a physical ID or physical access control badge) and can be used as a form of authentication for the ESSO tool.
  • Encentuate's ESSO product set has excellent shared-workstation support and the ability to provide each user with a private desktop — not just the sharing of applications with a common desktop — as other vendors do.
  • Encentuate's price-for-value proposition is very good, providing shared-workstation support, SSPR and stronger authentication integration for a lower price than most competitors.
  • Encentuate's main challenge is to gain market share more aggressively. Management changes in 2006 left Encentuate to trail similarly staffed competitors in sales growth.
  • Encentuate must establish broader sales and integration partner channels to gain market share.

The first thing I noticed was that I had forgotten about Passlogix's OEM relationship with RSA. This, in addition to the agreements with Citrix, IBM and Oracle further solidify the view that it's part of Passlogix's strategy to find as many channels as possible without worrying about the other partners they might annoy along the way, no matter how large they may be (Citrix, RSA, IBM and Oracle are certainly not lightweights).

The second thing was that Gartner seems to think Encentuate is a good product, their drawbacks being the number (or lack) of deployed customer references (which Passlogix has a lot of) and sales challenges. Assuming you believe Gartner (and sometimes people can be a little skeptical of the analysts, even Gartner), then I dare say the acquisition by IBM solves the "cautions" presented by Gartner about Encentuate. Gartner will now have to find other "cautions", but it looks like they will have to put IBM in the leaders quadrant for Enterprise Single Sign-On pretty soon.

UPDATE: I just found what Gartner has to say about the acquisition. They released it 2 days after I wrote about it, but for those that like to know what Gartner thinks you can read it here.

Thursday, March 13, 2008

IBM acquires Encentuate - did they just dump Passlogix?

My former employer (IBM) is at it again. They've made another acquisition to add to their IBM Tivoli Security suite. This time they've acquired Encentuate, which provides an Enterprise Single Sign On (ESSO) solution in conjunction with strong (and multi-factor) authentication capabilities. They also added to the whole story by announcing the "forming of the IBM Security Software Laboratory in Singapore", which to the innocent bystander sounds like IBM are investing in Singapore and also expanding its "research" operations. In reality, it's "IBM speak" for "we just bought a company that had a bunch of developers based in Singapore and we are turning those offices into another 'lab' that we can add to our list of software labs around the world". The whole lab thing is not the point here. I just thought I'd decode that part of the press release for the non-IBM alumni out there.

So who are the ones most affected by this acquisition?
  1. Any customer who has bought and implemented IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO).
  2. Passlogix.
For those that are unaware, ITAM ESSO is an OEM of Passlogix's v-GO product suite. IBM did not hide this fact when they first announced the release of ITAM ESSO. The integration points into the relevant parts of the Tivoli Security product suite were built-in nicely once v-GO had been "blue rinsed". It made sense in early 2006 when the announcement was made. In fact, a lot of us internally at IBM Tivoli fully expected Passlogix to be acquired by IBM eventually once the OEM agreement had been fully "road tested" and proven to be a money maker for IBM. I'm sure many Passlogix employees thought the same (I know of one IBM Tivoli employee who left for Passlogix and used the "I would not have made the decision to leave if the company I was going to did not have a real chance of being acquired by IBM" reason in his farewell email).

Halfway through 2006 (not long after the agreement with IBM), Passlogix announced the same thing with Oracle, one of IBM's major competitors in the Enterprise Identity and Access Management space. You don't need to be a genius to work out that IBM Tivoli's management team were not amused.

Passlogix actually also have an OEM agreement with Citrix for use in their solution, although I should point out that this preceded the IBM agreement and only uses sub-components of the v-GO product suite (so I've been told by some of the Passlogix guys). Consequently, the real thorn in IBM's side was the agreement with Oracle.

In other words, Passlogix shot themselves in the foot by hedging their bets with both IBM and Oracle. Sooner or later, one of these 2 giants of the software industry was going to toss Passlogix out the door like a rag doll...although still with a thin thread attached. I don't know why Passlogix didn't see it coming. Let me explain the thin thread analogy.

IBM now finds themselves with an ITAM ESSO product that is essentially a competitor to Encentuate, which they have just bought. They have also sold ITAM ESSO to many customers in the world (if I was involved in selling you this thing, I apologise profusely - I had no idea). Being IBM and with a reputation to uphold, they will still have to support it for customers that have bought it. In parallel, they are going to have to "blue rinse" Encentuate and out of the colouring process will emerge ITAM ESSO! In other words, the next version of ITAM ESSO will be the "blue rinsed" version of Encentuate. What will marketing do with this? Here's my guess:
  1. Announce (probably informally - essentially just "socialising" the news to existing customers through the sales teams) an impending upgrade to ITAM ESSO 6.0 (Passlogix v-GO).
  2. "Blue rinse" Encentuate.
  3. Announce the release of ITAM ESSO 7.0 with new, major functionality including strong and multi-factor authentication, remote single sign on and additional logging and auditing which is integrated with IBM Tivoli Compliance Insight Manager (actually, this last bit will probably be released in version 7.1 because IBM product management will just want to get core 7.0 out the door ASAP).
Seamless? Almost. What marketing won't say is that the "upgrade" from 6.0 to 7.0 is essentialy a rip and replace. There is no seamless upgrade. Sure, they'll probably offer some tools to "help", but the upgrade process will need professional services either from IBM Software Services or IBM Business Consulting Services because the single sign on templates will be completely different between the Passlogix and Encentuate products.

Apart from existing ITAM ESSO customers, Passlogix is the other obvious loser. IBM will need to keep its relationship with Passlogix because they still need to support version 6.0 and Passlogix are ultimately the "development team" in this instance. This arrangement will only last as long as customers are on version 6.0 or when IBM decide to stop supporting version 6.0. From memory, upon release of a new version, IBM will officially support the n-1 version for 2 years starting from the date of release of the new version. I don't know if the policy has changed, but if it hasn't this means that the IBM and Passlogix relationship will only last for a further 2 years starting from the release date of ITAM ESSO 7.0.

I can only imagine that Passlogix is suddenly being extra nice to Oracle because it looks like they have just lost IBM as a potential suitor to sell to. It also means they cannot rely on pushing the acquisition price up by hoping that IBM and Oracle start a bidding war. At this point in time, Passlogix have 1 suitor. Oracle. IBM has found something "better" and as a bonus, they just added strong authentication to their kit bag!

UPDATE 1: I just read the Burton Group's reaction to the acquisition and it reminded me that Sun also has a partnership with Passlogix. It's not an OEM one to the best of my knowledge, but Sun could perhaps be a suitor for Passlogix. I still think Oracle's the more likely option however, as Sun has hedged their bets as well because of their partnership with ActivIdentity (one of Passlogix's major competitors).

UPDATE 2: Chris (I don't know his full name because he doesn't publish it) just left me a comment in response to this post to point out that BMC are also a Passlogix v-GO reseller. I actually went back to take a look at Passlogix's list of non-OEM partners and true enough, BMC is on there. If you look down the list, you might also notice that Novell is listed. I don't know if it's a reseller agreement or just a technology integration certification/partnership, but Passlogix are sure hedging their bets even more than I initially thought. I still believe that Oracle are the number 1 suitor and the vendor most likely to acquire Passlogix, but at least having all these partnerships gives Passlogix options if things don't go well with Oracle.

Tuesday, March 04, 2008

Not worried about information leakage?

You (link 1) should (link 2) be (link 3).

(Disclosure: I work for a data security infrastructure software vendor - but these are my thoughts and not those of my employer.)

I often talk to organisations about the fact that employees aren't trying to violate security policies. They just don't know what the right thing to do is. In other words, it's about education as much as it is about technology.

If you followed the links above, there's another thing to consider. The altruistic tendencies of human beings. I'm all for free speech and the right for the public to know when unjust or unethical factors are at play. But this is all subjective. Taking a look at information control within organisations from this point of view, you're going to have employees who are doing the wrong thing knowingly but have a greater good in mind.

If I put myself in the shoes of the information security department (the executive board will probably share this view), I don't want anything getting out...especially if it damages the organisation. That includes cases where it can be argued that it's for the greater good. Why? Because people are just doing their job (consider why people work for tobacco companies or gambling organisations). People are also entitled to their own opinions. It is this subjective view that may be prone to error. Regardless of whether the person is right or wrong about the facts, if they happen to violate security policies even if they think it's the right thing to do, they should be stopped. That's why security policies are there in the first place. It may be determined at a later date that the policy is wrong, but that's the fault of the person who created the policy, not the whole security process or the controls in place. Security is there for a reason and it should be enforced.

I realise there is a very fine line here. If something an organisation does is plain wrong, we should all know about it. But at the other end of the scale, if we promote rumour and innuendo, the damage to an organisation may ultimately lead to its downfall.

Security can get rather philosophical at times and I'll be heading that way if I don't stop right here. We should all decide for ourselves what is right and wrong. I'm just pointing out another factor to consider when trying to secure your organisation's information.

HP bows out of the identity game

According to the Burton Group, HP has decided to no longer actively sell their Enterprise Identity Management products (HP Identity Center).

They've never really been in the Enterprise Identity Management game. All they succeeded in doing over the years was to acquire a bunch of companies and then packaged them under the same marketing banner. The problem was they didn't know what to do with them from both a sales and strategic standpoint. It seemed like they were just "keeping up with the Joneses" because their main rivals (IBM, CA and to a certain extent BMC) all had Identity Management solution suites to go along with their systems management strengths.

Certainly back when I used to do this (for IBM) in Australia, HP was a non-factor. I'd only ever run into Oracle, Sun and sometimes CA. The reaction to HP was usually: "They do security? I thought they just sold servers". That was certainly the problem IBM had for a while, but they managed to get it right by sending the right marketing messages out there, making the right investments, getting their strategies more or less right (and executing them) and hiring the right people to drive the initiatives (both for Software Group and Security). HP did not. The past year I've spent working in the UK and across Europe with many organisations has further convinced me of this. HP are a non-factor in Identity Management across Europe, and in light of this latest development it seems that was the case with the rest of the world as well.

HP will not be going with the "end-of-life" option with its products at this stage. But they will not be actively pursuing new sales. Read the post yourself if you want the nitty gritty details. I'm not going to regurgitate them.

I will say one thing. If you have HP's Identity Software, what were you thinking?!

I'm sure the other vendors will come knocking on your door offering to rip out HP and put in their solution. Word of warning on this point. Don't rush into anything. Sure, I'd stop what you're doing with the HP solution and start thinking about a migration plan. But let this be a positive. It gives you a chance to re-evaluate the situation and your Identity and Access Management strategy. If you were anywhere along the path of putting the HP solution in, there will surely be lessons to take from the experience. Use these lessons to figure out what you need, what you don't need, and what your priorities are.

Hint: You don't need the big consulting firms. If you were actively involved with the project, you know what needs to be done and you have a lot of this knowledge already. If you did not, here's your chance to take the initiative back and own the project. Successful projects are driven from within because a big part of it is acceptance of cultural and procedural changes. Get whatever help you need from external consultants to fill in the gaps...but don't go paying a big consulting giant to re-architect your whole solution around another vendor's products. It's not about the technology anymore - at least not if you are comparing solutions from the big suite vendors.

Do the people running my bank's security read my blog?

Hoping that the security people within my bank read my blog is probably wishful thinking on my part. Maybe they do. I have no idea.

But today, they did something that I've been calling for on this site. My last post mentioned the issues around bad security practices used by organisations around the world (including banks) when dealing with their customers (people like you and I), specifically around mutual authentication between the organisation and the customer...or rather, the lack of any - thus relying on the customer to accept all the risk. If you follow the links in that post back to my earlier blog entries, you'll know it's been eating away at me for a while.

I applied for another type of account with my bank over the weekend. Today they called me to ask a few questions and to perform due diligence around the whole process. I fully expected the whole one sided authentication I've come to expect from organisations and was prepared to give the wrong answer the first time around (followed by the right answer if they correctly identified that my answer was incorrect). I had no reason to expect anything different because I've dealt with my bank in the past and this is what they've always done.

To my pleasant surprise, they began by telling me that I had applied for an account over the weekend (and correctly naming the type of account) and that they were about to give me partial details about myself and I would have to fill in the rest! EXACTLY the type of mutual authentication process I've been crowing about! Worked very nicely and painlessly. It also gave me a sense of assuredness that I was indeed speaking with my bank.

I'm not silly enough to mention which bank I'm talking about, but if your bank doesn't do this at the moment, start complaining until they do. It's the way things should be done.