RealTime IT News

Sun ID Software Takes to the Audit Trail

Recognizing that compliance is a major concern of many enterprises, Sun Microsystems has created a beta of an identity management software package that lets customers create an identity audit trail.

The Java System Identity Auditor presents an automated account of an employee's identity and system access privileges, helping corporations prove and manage who has access to what programs.

The proactive approach helps the company sniff out violations, such as improper access, minimizing the risk of breaching compliance laws, including Sarbanes-Oxley, HIPAA and SEC 17a-4. Such mandates require companies to store data on access privileges -- past and present.

These rules are driving a market that AMR Research said could top $6 billion in the next year, with 70 percent spent on labor and 30 percent spent on technology.

With ID Auditor, companies can save money they might have spent on hiring and managing external consultants to perform auditing and compliance tasks to manage identities. The policy engine seeks out IT controls, turns them into rules that reach out to the application environment and figures out what is non-compliant.

The software also schedules scans to occur on a regular or an ad-hoc basis, firing off reports to administrators. Identity Auditor is tucked in to Sun's identity management suite, integrating with provisioning and access management software to fix policy violations on the fly.

For example, Don Bowen, director of directory services at Sun, said a policy violation could trigger an action within Sun Java System Identity Manager provisioning software to disable an account, or have the Sun Java System Access Manager terminate a session.

Integration doesn't stop there for ID Auditor, which works with security event management applications, such as Symantec Security Management System, to ensure security policies. For example, if a company's network is attack, the SEM application can tell Identity Auditor to disable accounts, terminate sessions and file a report.

According to Bowen, companies need something like Identity Auditor because many are trying to implement security controls. But businesses struggle with verifying and auditing these controls, so they look for outside help.

"One of our customers has identified 37 applications that play into their bottom line," Bowen said. "When they do the audit on this, it takes them 50 months to do -- every time. That's just not sustainable."

Identity Auditor will be sold as a standalone product, but will also be offered as part of a suite later in 2005. Pricing has not been determined.

With the ID management market growing by more than a third each year, Bowen said ID management sales are growing by 100 percent each year, thanks to business from the financial, government and telecommunications space. Bowen cited IBM as the top competitor to Sun in the ID management space.

Sun is also getting serious about addressing compliance. Last week, the company's storage unit rolled out its Compliance and Content Management Solution, a hardware, software and services package that will eventually replace Infinite Mailbox, the company's e-mail archiving solution.