Sun Identity Manager: compliance is about more than saying what you should be doing to comply
At the
Digital ID World conference taking place in California (Eric/Phil - how about extending the world of digital ID to Europe and hosting something here), Sun Microsystems
announced Identity Manager 7.0, the next iteration of its identity lifecycle management (aka user provisioning) solution due for release next quarter. The key new feature of this release is what Sun refers to as identity auditing: extending compliance auditing beyond provisioing processes to the applications and systems which actually use the provisioned identity data.
Regulatory compliance has undoubtedly boosted organisations' interest in identity management solutions and the vendors have been quick to respond. However, that response has largely focussed on ensuring that policies are enforced, and can be demonstrated to have been enforced, when identity data is provisioned e.g. to ensure that users in a particular role are only provided with read-only access to a particular application. As I have discussed in our
identity management report, effective compliance requires a more comprehensive response: organisations need to be able to ensure that the application actually enforces that read-only access, that any deviations are logged and so forth. Identity auditing is Sun's response to address that need and a welcome response at that. This is something I also highlighted in
my discussion of Novell's integration of the Sentinel assets it acquired with e-Security.
Whilst I am positive about this new set of capabilities, I think Sun is slightly over-egging the press release pudding with the following:
enhancements to its market-leading identity management software suite that are the first to combine the capability to prevent inappropriate user access to systems and applications while detecting violations in the company's user access policies
Reading on Sun is quite careful to point out that it is the first to combine user provisionig with identity auditing but I think IBM, with Tivoli Access Manager's Common Auditing and Reporting Services could justifiably claim to deliver the same business outcome (and that after all is what the business is concerned about), albeit not tied directly into its user provisioning solution. That gripe aside, this is a good move by Sun and extends the company's
already strong identity management proposition.
Organisations who are turning to identity management as part of their compliance initiatives need to carefully scrutinise potential solutions. If the vendor is focussing exclusively on the provisioning process then it's time to
ask some tough questions.
