IBM New Access Manager Faces Tough ID Management CompetitionIBM New Access Manager Faces Tough ID Management Competition

The ability to control who has access to different systems and information is emerging as a key requirement for businesses to meet the growing demands of improved security and stricter compliance with a number of government regulations. Until recently, this meant businesses would likely have to introduce an access control software vendor into their already long lists of application providers. But as IT behemoths IBM, Hewlett-Packard, Oracle, and others buy their way into the identity management software market, they're promising customers a more integrated approach to security and compliance.

IBM got an earlier start than its competitors in acquiring the technology needed to build a more complete identity management offering, including the 2002 purchase of user-provisioning software maker Access360. IBM is putting that head start to good use and Friday introduced the latest version of Tivoli Access Manager, the piece of IBM's overall identity management software suite that controls access to different applications, including E-mail, Web portals, and HR and financials databases.

Version 6 of Tivoli Access Manager is designed to improve access controls by letting IT departments manage access data in a central repository, a move that should also please auditors looking to ensure regulatory compliance. A centralized reporting capability enables compliance officers to detect unauthorized access to resources and reconcile this behavior with data contained in Tivoli Identity Manager. When combined with Tivoli Federated Identity Manager, companies should be able to centrally audit and report on business partner and third-party access to their IT systems and services.

"With a lot of compliance initiatives going on in the industry, we wanted to make sure we captured enough information so that during a compliance audit, auditors had a centralized place to go to pull info about who's accessing systems and what they're accessing," says Joe Anthony, IBM Tivoli director of identity management, who adds that IBM has 1,500 customers for its Access Manager software.

No software maker offers a complete, fully integrated suite of identity management applications, which would include identity management, access management, user provisioning, and directory server, among others. Still, "IBM has been evolving its identity management technologies to the point where it can now up the ante in the market," says Mike Neuenschwander, VP and research director with IT research and advisory firm Burton Group.

IBM is also looking at the future of identity management, which includes the ability to better manage biometric data and integrate identity management features into Web services. The company has since 2002 integrated Daon Inc.'s DaonEngine biometric authentication software with Access Manager. DaonEngine authenticates users to the system using biometric credentials, such as fingerprint, voice and iris, and Access Manager provides single sign-on and access to the appropriate system resources based on security and business policies.

Other identity management software providers have been anything but idle. In a move to make its identity management offering easier to use for non-technical users, Novell promises this month to begin shipping Identity Manager Version 3, which lets IT departments delegate more responsibility to business managers and end users by adding an intuitive user interface and automatically routing self-service provisioning requests. HP earlier this month announced plans to buy Trustgenix Inc. and integrate Trustgenix's federated identity-management software, which supports Security Assertion Markup Language and Liberty Alliance Project standards, into HP OpenView to let users securely access information residing on different systems.

Oracle, which has been on the mother of all acquisition sprees for the past couple of years, last month bought Thor Technologies Inc., a developer of cross-platform provisioning tools, and OctetString Inc., a supplier of virtual-directory software. These acquisitions followed Oracle's March purchase of identity-management software vendor Oblix Inc. Meanwhile, Computer Associates last month introduced CA Identity Manager, which is largely the product of CA's November 2004 acquisition of Netegrity. Cryptographic hardware and software maker nCipher plc also jumped into the market last month by buying Abridean Inc., a user management and provisioning software company.

Despite all of the advancements in identity management made recently, the technology must continue to evolve. Software maker Fischer International will by the end of December take a step in that direction by including the ability to let PocketPC-based PDAs remotely perform identity management functions with version 2.2 of its iFly application.

Companies should expect their identity management vendors to create software that integrates seamlessly with service-oriented architectures built to make IT more responsive to business needs. Since IBM and its larger competitors are essentially platform vendors—providing a range of hardware, software, and middleware—companies should expect these companies to build identity management capabilities into all of the products they sell, from PCs to ERP packages.