Many IBM Tivoli (and ex-IBM Tivoli) people have been saying for years that IBM Tivoli Access Manager's WebSEAL component should be an appliance, not a piece of software you have to install. For those not familiar with IBM Tivoli's security products, WebSEAL is the web proxy that typically sits in the DMZ of your network and performs the authentication and authorisation for your Web applications. I won't go into a sales pitch about why that's a good thing. If you really want to know, ask your local IBM sales rep or send me an email via the contact form on this blog and I'll get back to you.
For one thing, an appliance will generally perform better. Extremely handy when it's the front door into your enterprise web environment. IBM will not disagree because they have an appliance product doing what WebSEAL does, but for Web Services. It's called WebSphere Datapower, which was technology IBM bought via the acquisition of Datapower in 2005. The specific appliance I'm referring to is the XS40, which I also had to know about for some time until IBM finally decided to stick it once and for all under the WebSphere brand. To be fair, it does have integration points into IBM Tivoli Federated Identity Manager so all you IBM security people shouldn't be ignoring it.
It's also become somewhat of a commodity. Every major vendor has one, calls it "Access Manager", delivers it on a CD (meaning it's software) and all have very similar core functions. They are just architecturally different. I suppose it wasn't worth the effort to make it an appliance even though it made sense. All these "Access Manager" products have been selling just fine as software components.
I've been catching up on my news items (when am I ever not) and stumbled upon these guys. They are P2 Security and have built exactly what I've just described. An appliance that does Web Access Management. They even have a comparison matrix against the big vendors, which by the way isn't exactly accurate. I already see some "crosses" against IBM that I know should be "ticks".
The one beef I have with this appliance from P2 Security is that they count having a policy server as being a negative (see the comparison matrix). I don't see why that is the case? They may argue that it presents management overhead. Sure, but I don't see any mention within their collateral of how they manage security policies when someone decides to buy more than 1 appliance.
If you are in the security game, you know it's a pain in the behind to have to change security policies (or any policies for that matter) in multiple places. Are they saying that if you have multiple appliances, each time you change the policies on one of them, you have to do it for the others? It may be tolerable if it's a simple policy change, but security policies are not usually simple when it comes to authorisation (aka entitlements, although in this case I don't think the appliance can get fine-grained enough to qualify as doing any real entitlement management). Any decent technology company will have an answer for my question, so perhaps they've already thought this through. I just can't find it on the site (maybe I'm not looking hard enough, but it's late so give me a break).
The main point to make here however, is that it remains a point solution. Useful if you are a small organisation that only wants to do Access Management for your web applications, but if you want a more coherent and integrated Identity and Access Management solution, you should probably go for one of the large suite vendors. That said, I applaud P2 Security for delivering what many have been asking for (but vendors have not bothered to build because the ROI on the effort didn't make sense).
Of course, they are a perfect target for acquisition by an Identity Vendor without an access management product. Did I hear someone say Courion?