That need hasn't been lost on software vendors. BMC Software, for one, is trying to position itself as the go-to security vendor for adding identity-management features to Microsoft .Net environments. Today it released BMC Identity Management .Net, which lets companies add user access, compliance, and password management into applications based on .Net. The software integrates with Microsoft security technologies, yet is intended to give businesses more options and features. Due to lack of options, many businesses have been forced to build their own identity management apps for the .Net environment, says Somesh Singh, VP and general manager of BMC's identity management group. BMC also is designed to allow Microsoft Identity Infrastructure Server to support non-Windows environments, including Unix and mainframes, while centralizing identities and policies in Windows 2003 Active Directory Application Mode.
BMC's move to support .Net could help it stand apart from some of its large competitors in the business application market."This will give small and medium businesses better automated control over their user populations, including access and the levels of privileges are being granted; something only large businesses have been able to afford and implement,"says Gerry Gebel, a Burton Group senior analyst, noting that BMC competitor Oracle doesn't support the .Net environment with its security tools.
Oracle, meanwhile, says it's on the lookout to partner with a vendor that that offers single sign-on software to add to its portfolio of identity management offerings, which are largely the result of an acquisition spree over the past few years. Single sign-on, which lets people use just one user ID and password to get access to multiple applications, would join Oracle's directory, federation, identity administration, meta-directory, public-key infrastructure, user provisioning, virtual directory, Web-access management, and Web-services management capabilities. Oracle is one to watch in the identity management market "because they have such a heavy presence in the business application space," Gebel says.
Just as BMC is staking a significant part of its growth on identity management software that lets its customers' better audit who's using their systems, Oracle is relying on this software as a cornerstone of its Fusion Middleware strategy, which itself is crucial to Oracle's overall plans to sell integrated software packages rather than independent databases and business applications. Oracle's focus on identity management as a security tactic is a bit ironic, given that the company has come under fire from Gartner researcher Rich Mogull for a range of exploitable vulnerabilities to its database software.
"Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet," Mogull said last week in an online advisory. He also blasted Oracle for providing too little information about vulnerabilities, rolling out low-quality patches, and neglecting to offer workarounds.
Still, companies are finding that identity-management is an indispensable component of corporate IT security and regulatory compliance. "You can't do anything with your systems unless you know who's using them," The McGraw-Hill Companies VP and chief security officer Dennis Brixius said last week at an Oracle identity-management seminar in New York. He estimates that most companies have a 30% error rate in their user directories because they don't clean out those directories when employees depart. This leaves access privileges for people who are no longer entitled to those privileges.