Sun ID Software Takes to the Audit Trail


Recognizing that compliance is a major concern of many enterprises, Sun
Microsystems has created a beta of an identity
management software package that lets customers create an identity
audit
trail.


The Java System Identity Auditor presents an automated account of an
employee’s identity and system access privileges, helping corporations
prove
and manage who has access to what programs.


The proactive approach helps the company sniff out violations, such as
improper access, minimizing the risk of breaching compliance laws,
including
Sarbanes-Oxley, HIPAA and SEC 17a-4. Such mandates require companies to
store data on access privileges — past and present.


These rules are driving a market that AMR Research
said could top $6 billion in the next year, with 70 percent spent on
labor
and 30 percent spent on technology.

With ID Auditor,
companies can save money they might have spent on hiring
and managing external consultants to perform auditing and compliance
tasks to manage identities. The policy engine seeks out IT controls,
turns
them into rules that reach out to the application environment and
figures
out what is non-compliant.


The software also schedules scans to occur on a regular or an ad-hoc
basis,
firing off reports to administrators. Identity Auditor is tucked in to
Sun’s
identity management suite, integrating with provisioning and access
management software to fix policy violations on the fly.


For example, Don Bowen, director of directory services at Sun,
said a policy violation could trigger an action within
Sun Java System Identity Manager provisioning software to disable an
account, or have the Sun Java System Access Manager terminate a
session.


Integration doesn’t stop there for ID Auditor, which works with
security
event management applications, such as Symantec Security Management
System, to ensure security policies. For example, if a company’s
network is attack, the SEM application can tell Identity Auditor to disable
accounts, terminate sessions and file a report.


According to Bowen, companies
need something like Identity Auditor because many are trying to
implement
security controls. But businesses struggle with verifying and auditing
these
controls, so they look for outside help.


“One of our customers has identified 37 applications that play into
their
bottom line,” Bowen said. “When they do the audit on this, it takes
them 50
months to do — every time. That’s just not sustainable.”


Identity Auditor will be sold as a standalone product, but will also be
offered as part of a suite later in 2005. Pricing has not been
determined.


With the ID management market growing by more than a third each year,
Bowen
said ID management sales are growing by 100 percent each year, thanks
to
business from the financial, government and telecommunications space.
Bowen
cited IBM as the top competitor to Sun in the ID management space.


Sun is also getting serious about addressing compliance. Last week, the
company’s storage unit rolled out its Compliance and Content Management Solution, a hardware,
software
and services package that will eventually replace Infinite Mailbox, the
company’s e-mail archiving solution.

News Around the Web