With concern over internal data breaches and compliance growing, Sun Microsystems today rolled out Sun Identity Compliance Manager to tackle these problems.
This offers role management by “building on Sun’s (NASDAQ: JAVA) Identity Manager 8.0 announcement in the summer, and it wraps in the role management capabilities they acquired from Vaau earlier this year,” IDC research director Sally Hudson told InternetNews.com by e-mail, referring to Sun’s purchase of the role management and identity audit vendor.
The news comes as insider breaches continue to pose a major security threat according to security vendor RSA, which makes compliance, based on identity management, increasingly important. In a study this month, RSA found that 43 percent of 417 attendees to industry events had switched jobs internally, but still had access to accounts they no longer needed. A total of 79 percent said their company employs temporary workers or contracts who require access to critical organizational information and systems, while 37 percent have stumbled into parts of their corporate network they believe they should not have had access to.
Role management is critical to access control and compliance. It “is becoming the buzzword du jour in identity and access management [IAM],” IDC’s Hudson said.
If managers find staff have access to applications they should not, Sun’s product lets them initiate a request to correct this. Requests can be sent out automatically as part of change management systems, user provisioning systems, or by e-mail, and Sun’s product will track them, validate the correction and capture the associated audit trail.
Sun Identity Compliance manager also enables enterprises to define and enforce segregation of duties, a key part of IT security. A simple example of segregation of duties in business is implementing separate departments for accounts payable and accounts receivable.
Controlling and managing access “strengthens security in the enterprise by removing risk and/or outdated access,” Burton Group analyst Ian Glazer told InternetNews.com by e-mail.
It was the failure to implement separation of duties that let rogue systems administrator Terry Childs hold San Francisco’s fiber-optic wide area network hostage back in July by replacing all the passwords with ones only he knew. The proper thing to do would have been to have different people hold different passwords.
Sun’s product also includes an entitlements glossary, which enables business users to display IT entitlements in easily understood business terms — important in helping business managers understand the roles of their staff and approve or disapprove access without having to refer back to IT.
The product also automates the controls and reporting associated with access, and lets enterprises monitor changes in user access in real-time to maintain compliance and mitigate potential business risks. Real-time monitoring of user access is crucial, as many companies fail to close down old or unused accounts, leading to orphan accounts that can be misused.
The prize in IAM
The new launch could mean that Sun may be on to a good thing. Regulatory compliance, both in the United States and worldwide, drives “about 75 percent of the overall IAM market, which renders the market segment somewhat recession-proof,” Hudson said. Overall, license and maintenance revenues for IAM totaled $3.1 billion exclusive of services in 2007, she said, adding that IDC forecasts that figure will exceed $5 billion by 2012.
But to capture a share of the market, Sun will have to take on some big names. The market leaders in IAM software licensing and maintenance revenue are IBM, (NYSE: IBM) CA, (NASDAQ: CA) Oracle (NASDAQ: ORCL) and Novell (NASDAQ: NOVL), in that order, Hudson said.
She added that Sun has “lost some ground over the past 24 months” against those companies, but its new product could help it make up some of the difference.