At first, IBM will simply "hang the Tivoli sign" at the Irvine, Calif., office of Access360 after the customary regulatory approvals are cleared for the merger, said IBM Tivoli General Manager Robert LeBlanc. Access360, started in 1998, has 128 employees, and LeBlanc said no layoffs at either IBM or Access360 are anticipated as a consequence of the acquisition.
IBM Tivoli markets Privacy Manager and other software modules that overlap somewhat with EnRole. LeBlanc said Tivoli developers would strive to combine "the best of both" vendors' lines for a product aimed at automating the complicated task of identity management and access rights. However, IBM is clearly impressed with the EnRole technology, which will be retained as the core underpinning for provisioning.
These days, most provisioning -- the process of granting or revoking network or application privileges to employees, e-commerce partners or contractors -- is done manually, whether on mainframes, Unix or Windows NT.
The EnRole software allows security managers to automate the provisioning process by following a series of steps that involve policy management, access-request management, access rights, intelligent routing approval, password self-service, and audit and history tracking.
A number of companies -- including IBM, Computer Associates, and start-ups Business Layers, Critical Path and Waveset -- are marketing provisioning software of varying sorts. The oft-stated goal is to achieve "identity management," which sometimes relies on role-based security. With role-based security, groups of employees are granted access rights based on the employees' role in the organization.
The advantage is that once provisioning software is in place, managers can more quickly grant or revoke access privileges -- and sometimes even credit cards or physical access to buildings -- through carefully delegated controls.
IBM has plucked up one of the best of the "pure-play provisioning start-ups," according to Jamie Lewis, analyst at The Burton Group.
"The reason IBM is making this move is that provisioning is an overall part of 'identity management,'" says Lewis, noting that IBM also recently bought Metamerge, which sells meta-directory and middleware products for provisioning, with the goal of combining components to have an extensive identity-management offering.
Lewis notes that IBM's long-term challenge is to integrate these piece parts into a suite for identity management. "In the future, you'll likely hear IBM Tivoli talking more about security management than network management," Lewis added.
However, so far it has been primarily only very large organizations that have been willing to spend the time and money to deploy what is still a new genre of software for managing access control, authorization and revocation. Provisioning software from most vendors can cost hundreds of thousands of dollars for large deployments. "It can cost millions when you add in the professional services," Lewis points out, because there's usually the need for customization and integration work for the enterprise.
Access360 has only 35 customers. According to Access360 CEO Paul Gigg, they include oil giant BP, using EnRole for 150,000 users in 15 countries; and Prudential Financial, using the provisioning software for 65,000 users.
IBM's LeBlanc conceded that automated provisioning has remained the domain of very large customers, but he said he hopes any new products that result from the merger of Access360 with IBM Tivoli include software with a greater appeal for mid-sized companies as well.
IBM Tivoli expects to detail product plans around Tivoli network management and EnRole (including the question of whether to retain the EnRole brand name) by year-end.