This week we're talking about the lack of merger and acquisition announcements at the recent Burton Group Catalyst Conference. In the last issue, I discussed the reasons why the virtual directory and simplified sign-on areas are showing little M&A activity, but today I want to examine what's happening in the role management and role-based access control space.
Roles are one of the hottest areas of identity management spurred on by the growing awareness that a number of "solutions" are more easily managed by the use of roles. Regulatory compliance and cross-domain provisioning are just two areas - two very big areas - where the use of roles not only makes the job of identity management much easier but also provides greater security and flexibility in handling authentication and authorization.
I have been surprised by the lack of acquisition activity on the part of the major identity suite providers vis-à-vis the role management companies but a few of the bigger players provided the reason - and it's something they all agree on. There simply isn't any standard method of providing role creation.
It helps to remember that there was little movement to acquire provisioning companies until the architecture of provisioning and workflow were fairly well standardized among the practitioners. Then the pace of acquisition improved dramatically.
With some preaching a top-down approach of creating roles based on business rules and practices while others advocate a bottoms up approach emphasizing audits and data mining of what people actually do, there's no definitive "best practices" for role creation. While it seems obvious that, eventually, a synthesis of these methods will emerge as the standard way to create and manage roles, there's still enough diversity in the marketplace that the big identity management vendors aren't willing to bet on the final outcome. Instead, they'll partner with many different role creation companies. That means that folks like Bridgestream, Eurekify, Trusted Network Technologies, BHOLD, Blackbird, Engiweb, Prodigen, SecurIT, and Vaau will maintain their independence for now with only the remote possibility that should any of them founder with customers their investors might seek to sell out at fire sale prices.
So it seems that the niche markets (or, perhaps better, "specialty" markets) of SSO, virtual directory and RBAC are strong and thriving. There's also a new niche developing, one which a new startup hopes to prevail in - compliance monitoring.
Aveksa has just recently released version 1 of the Aveksa Compliance Manager. I recently spoke with the company's CEO, Deepak Taneja who's been around identity since his days with Banyan and StreetTalk. He said that the idea behind the new company was that privacy, security and SEC regulations now mandate that companies know who has access to what and who did what and when. Even beyond the significant regulatory repercussions of breaches, the business impact can be devastating. According to Taneja, the Aveksa Compliance Manager provides organizations with a tool to help mitigate these risks.
So as fast as the identity business was consolidating a year ago, today there are new organizations springing up to target the important areas that the various suites might overlook. It is a good time to be a customer in the identity space as competition and choice continue to grow.