CA DLP headed in the right direction

When CA acquired Orchestria, I said it was a good move. I even wrote a follow-up post about why Identity & Access Management (IAM) and Data Security/Data Leakage Prevention (DLP) fit so well together. 2 weeks ago, CA sent out a fairly lengthy press release with a list of products they've updated. The 2 products that caught my eye were GRC Manager 2.5 and DLP 12.0. This post covers the DLP product.

I spoke with Gijo Mathew, Vice President of Security Management at CA about the DLP announcement to get a better understanding of CA's strategy in the longer term and clear up a few things which confused me with their press release. Here are the "new features" for DLP 12.0 which I've lifted from the release:

• Enhanced Discovery – Provides the ability to scan data locally on endpoints and to scan directly into structured ODBC databases to identify sensitive data.
• Extended Endpoint Control – Leverages existing data protection policies to control of end-user activity such as moving data to writable CDs or DVDs, and taking a screen print of sensitive content.
• Seamless Archive Integration – Integrates with CA Message Manager, a product in CA’s Information Governance Suite, to help deliver end-to-end message surveillance, reporting, and archiving.

The first thing I should point out is that the ability to scan structured databases is a BIG plus. Many DLP vendors out there do quite a lot with either unstructured data (e.g. files on disk, data in memory) or structured data (e.g. databases), but they don't usually handle both. Orchestria fell into the "unstructured data" bucket. Now under the CA banner, they can finally support the ability to scan and classify data sitting in databases. Note however, that the ability to scan/identify/classify data and the ability to enforce controls over access to this data are completely separate things. To be able to properly enforce controls over structured data, a product would need to hook into the low level database security mechanisms. As a result, the enforcement of access controls into databases based on the content being accessed is difficult and very few vendors can actually do this at the moment (CA included).

While we're talking about scanning, CA also improved the way they scan for unstructured data. In previous versions, the scanning had to be performed from a central server. This is not ideal in many cases thanks to all the things that get in the way like firewall rules, security restrictions on machines, desktops not necessarily being available when required for scanning (either by being off the network or turned off) and so on. A more robust scanning strategy should support the ability to have the endpoints scan local data when required. It takes the load off the central server and allows for a more complete view of the environment from a data management standpoint. The new version of CA DLP added this capability. The negative however, is the performance hit taken by the endpoint while the scanning is being done (this is not a CA specific drawback - any endpoint scanner is going to impact performance).

The second point about the additional features around endpoint control (specifically regarding the mention of moving data to CDs, DVDs and controlling screen print events) really confused me. The examples given are supported by just about every single endpoint DLP vendor out there. I was shocked that Orchestria didn't have these capabilities. Alas, this was not the case. Gijo mentioned that they merely enhanced the capabilities around the CA DLP endpoint component and that these were some examples they picked out. The point CA were trying to make was around the fact that they still do the core DLP things expected of any DLP product worth implementing. Apparently after the previous release of DLP, many assumed they were no longer focusing on the core DLP capabilities and going down the "identity aware DLP" road. This is definitely not the case according to Gijo.

While the points mentioned in the press release are interesting in that they show CA are serious about core DLP capabilities, what impressed me most was the longer term vision CA has for the product. In fact, it is this longer term vision that had some accusing CA of neglecting their core DLP capabilities in the previous release.

CA are fortunate in that the natural evolution of products in the DLP space fit nicely with their need to work at integrating DLP with their portfolio of products. It makes product management decisions slightly easier for them instead of having to spend a lot of time trying to balance the need for additional features with being able to sell a cohesive suite of solutions (which is commonly the problem with acquisitions). In other words, adding integration points provides CA DLP with additional capabilities that make sense for most of the other products involved as well. For example:

• The ability to add context to access control is a very powerful thing. Context is very much about information, with data at its core (although it's not everything, because data alone does not tell us what a user is actually doing). What I'm referring to is commonly labelled as content aware access management. A common use case here typically involves integration of access control decisions by a web access management component (Siteminder in CA's case) with data aware mechanisms provided by a data security solution (CA DLP in CA's case). The web access management product can either make decisions based on static tags on the information/resource being accessed or dynamic analysis made in real time by the data aware component (e.g. this data looks like a bunch of credit card numbers so we should not be giving the user access).
  
• The analysis of data usage patterns across different environments allows for additional smarts when trying to manage risk, especially in cases where patterns are outside the norm of a user's peers. The trick here is being able to turn the data gathered into information to feed back to a GRC (Governance, Risk & Compliance) solution or SIEM (Security Information and Event Management) dashboard. Otherwise, you could just point any old reporting engine at the data and achieve the same result (which is far from what one would call proper integration).
  
• Access and data governance are typically silos in organisations today. If you're able to tie the two together, the management overhead is reduced significantly. That's why it's a big deal if an organisation is able to get a single view of both from a management standpoint. This is not to say it cannot be done today. The key point I'm making here is that it's just really hard to do. If a vendor makes it that much easier to achieve, it saves time and money.
• Improving the lifecycle activities around enterprise information and content management by using the data discovery and classification capabilities to provide additional context to the relevant processes.
  

I'll leave it as an exercise for the reader to figure out which CA product/s to slot into each example. The point is, they have something in their product stack to integrate with DLP in each example. What these illustrate however, is the direction CA are headed in with regards to the DLP strategy (even though some of it is a little high level).

Gijo was honest in acknowledging they don't have a lot of the things they want out of the box just yet. At this stage, many of the things I've mentioned (in terms of product strategy) will require a good amount of services work. I'm not going to criticise them for this as they only acquired Orchestria earlier this year and it's unrealistic to expect all the required integration to be built out so quickly, especially with a whole suite of products like CA's. What I do like a lot, is where they're going.

CA's strategy is good. They're on a journey and their DLP product is the jewel in their security suite from a competitive standpoint (against the other big IAM vendors). They also stack up well against their competitors in the data security space; in this case the advantage comes in the form of their IAM suite (and to a certain extent, their ever improving GRC prowess), which other data security vendors do not have. Those familiar with the security space might notice I haven't made any mention of the fact that RSA also have both IAM and DLP capabilities. Don't forget however, that it's a bit of a stretch to call RSA's IAM capabilities a suite (e.g. they don't do provisioning). They also have no real GRC capabilities to speak of (their GRC page is a bit of a joke).

As long as CA don't neglect the core data security capabilities in DLP along the way, they're going to do just fine.

CA GRC Manager adds IT GRC focus

Earlier last week, CA sent out a fairly lengthy press release with a list of products they've updated. The 2 products that caught my eye were GRC Manager 2.5 and DLP 12.0. This post covers GRC Manager.

Back in February, I spoke to CA about their 2.0 release of GRC Manager. Then, it was all about what they called RiskIQ and turning raw data into useful information to better manage risk and compliance. To me, version 2.0 marked the real arrival of CA as a GRC vendor to contend with because it showed they were serious and that the 1.0 version wasn't a flash-in-the-pan-side-project they thought they'd try out to see what would happen.

Late last week, I spoke with Marc Camm (SVP & GM, Governance, Risk and Compliance Products) and Tom McHale (VP of Product Management for CA GRC Manager) to see what they had to say about the new release.

The message that came through loud and clear was that version 2.5 is very much about IT GRC. If you're interested in specific new features (I don't normally do this but since it was a long press release), here's the relevant section lifted directly from CA's press release:

• Automated Questionnaires - Allows customers to easily create, distribute, and analyze the results of questionnaires for risk and compliance controls assessments.
• Robust Reporting Engine - Provides a set of pre-defined, role-based reports, as well as easily configured reports for local needs.
• Ongoing IT Controls Monitoring - Automates input of IT controls status information into CA GRC Manager and provides a single view of overall IT risk and compliance profiles.
• Extensions to IT Control Framework - Supports mapping between individual controls and authority documents, featuring a library of more than 400 regulations with mappings to IT controls from the Unified Compliance Framework.
• Streamlined Management of Select FISMA Requirements - Offers a centrally managed information security system with extensive dashboards and reports, providing instant, comprehensive information about controls and processes related to Federal Information Security Management Act (FISMA) requirements.
  

The new features and focus on IT GRC came about through feedback the product management team gathered from existing GRC Manager customers. Reading between the lines, it also looks like CA tried to make version 2.5 of the product much more usable (I'm in no way suggesting 1.0 was not usable).

Some examples mentioned include:

• Dashboards improvements to allow for better navigation between risks, controls, application contexts etc.
• Standard, pre-configured roles included out of the box for better support from day one. In a way this could be viewed as "best practice" roles for controlling access to various parts of the application and actions performed.
• Extended functionality within the reporting engine to allow users to customise pre-built (out of the box) reports without having to build their own from scratch all the time.
  

The addition of FISMA requirements and extended Unified Compliance Framework support are further evidence of this.

That's not to say there isn't any work to be done from an implementation standpoint. It's a GRC product. Anyone who thinks you can implement a GRC product without a good amount of internal effort (and external help) is delusional. What I think CA's tried to do is make GRC Manager more of an enabler for Enterprise GRC; in other words, they want to help fast-track efforts by providing as much up front as possible.

One thing that's interested me for some time is the notion of managed services (I even ran a survey to try to find out more). As a result, I couldn't help but ask Marc and Tom whether any of their customers actually use CA GRC Manager On Demand (the hosted version of the product). Apparently 20% (I won't hold CA to this number as it was just a rough figure) of their customers use GRC Manager in this capacity with a bunch of others wanting to migrate.

The fact that this version still starts with a "2" isn't lost on me. It's not a major release in the traditional sense, but CA added enough features to warrant them making some noise about it. I'll be interested to see what version 3 holds, but I'm even more interested in the percentage of customers that end up going with GRC Manager On Demand in the next release.

CA's been busy

Earlier last week, CA sent out a fairly lengthy press release with a list of products they've updated; I guess they've been busy.

That said, most of the updates were fairly minor:

• Access Control got some privileged user management teeth.
• Identity Manager got more hooks into Role & Compliance Manager to give us "Smart Provisioning". According to CA, this means they now provide: "the capability during the provisioning process to prevent business and regulatory policy violations. The software will proactively check for things like SOD (segregation of duties) violations during the provisioning process; it will issue an alert when an entitlement has been assigned that is significantly out-of-pattern or different from the person’s peers; and it will help with productivity and efficiency by suggesting roles that may be useful to a person when compared to the roles of his or her peers."
  
• Records Manager got some stuff but I fell asleep reading about it.
  

The 2 products that caught my eye were GRC Manager and DLP. I'll be writing 2 follow-up posts about them. Stay tuned.

CA continues to round out their security portfolio

Lots of interesting things happened last week in the information security space. This was largely due to the RSA Conference and the number of company announcements that coincide with it each year. Of course, Oracle stole much of the thunder by announcing their acquisition of Sun Microsystems. I've chosen not to comment on it because there's enough speculation out there (some informed, some less so). Also, I would have sounded like a broken record because any analysis on my part would have sounded very similar to my piece on the potential IBM and Sun deal that eventually fell through, but with an Oracle spin.

From a large Identity and Access Management (IAM) vendor standpoint, the most interesting piece of news actually came from CA. In fact, the only bit of IAM vendor news came from CA because the others didn't announce anything at all (I don't count "what the heck is going to happen to the Sun IAM stack" as news because at this point it's all speculation and is very much dependent on what Mr Ellison and his cohorts decide to do once the deal closes and the dust has settled).

I've written about how CA has been running faster than their competitors since late last year and they haven't stopped if the latest announcements are anything to go by. They actually made 3 announcements around RSA; the first was a pointer to Dave Hansen's (Corporate Senior Vice President and General Manager of CA’s Security Management business unit) keynote at RSA (the video of the keynote is here), the second I'll talk about in the next paragraph and the third related to a survey conducted by CA which Dave also referenced in his keynote.

The second announcement was the most interesting as it involved news around their portfolio, where they announced 3 new products:

• Enterprise Log Manager - a brand new, internally developed product
  
• Role & Compliance Manager - from their acquisition of Eurekify
  
• DLP - from their acquisition of Orchestria
  

Note: The DLP acronym generally stands for Data Leakage/Loss Prevention

I spoke to Dave Arbeitel (Vice President of Product Management for the Security Management Business Unit) about the new products late last week and got to find out a little bit more.

I hadn't actually noticed this but Dave pointed out that CA's approach to security management is now solution-focused and grouped as follows:

• Data & Resource Protection
• Identity Lifecycle Management
• Secure Web Business Enablement
• Security Information Management
  

The large IAM vendors are split between being product-focused and solution-focused and the approach taken is very much dependent on the overall company strategy. One thing I should note is that being solution-focused is fine as long as you don't get too smart for your own good and confuse customers (as I've accused IBM of doing on occasion).

Each of the 3 new products fits into one of the solution categories. My interpretation of the solution areas is that CA seems to have grouped what they deem to be the most complementary products together. The most interesting thing to note is that they've grouped CA Access Control together with CA DLP. This makes sense and is evidence that CA gets DLP and are starting to implement a strategy around how IAM and DLP can work together effectively. I'm not saying they get it completely yet, but this is not necessarily a bad thing. The industry as a whole doesn't quite understand the IAM/DLP/Data Security overlap at the moment. At least CA are trying to work it out by putting their money where their mouth is. But I'd caution them against putting too much of a marketing spin on things because people (like me) will call them out when required.

They key thing Dave wanted to get across was that CA has a broader security management strategy and these product announcements are simply steps along the execution path. This has been apparent to those of us following the market over the past couple of months and if CA keeps going, they're going to do just fine as long as they execute well.

I didn't get too much into product features of the Role & Compliance Manager and DLP products with Dave because Eurekify and Orchestria had relatively mature products. There wasn't much point in trying to pick those products apart. The only noteworthy change was that CA combined Eurekify's products into the single product (for those that are unaware, Eurekify had a separate compliance management product that integrated with their role management product). Dave also noted that the new products were not just a re-brand. CA's done additional development work to add functionality and integration points into the existing CA IAM suite.

While we're on the point of integration into the existing IAM suite, I'd like to pinpoint the supposed deep integration and "identity-awareness" of the DLP product. I had a chuckle watching Dave's keynote (and it wasn't from watching the almost cringe-worthy parody of "The Office"). During the demo, they supposedly showed identity management and data security integration. For anyone who hadn't seen a DLP product in action, it looked pretty slick/impressive.

As someone who has demonstrated a DLP product hundreds of times (maybe even thousands - I lost count after a few months) I can tell you that most of the demo only showed the DLP product in action. The solitary identity bit was the de-provisioning of the user (Dave) from a role (which took away access to the SAP application in the demo). Apart from the fact that CA Identity Manager probably has a standard connector into CA DLP to provision and de-provision access for users, they weren't doing anything in the demo that anyone else couldn't do by taking a decent provisioning product and building a connector into a good DLP product. Unfortunately CA, this isn't what I'd call identity-aware-DLP. I realise I may be dismissing other potentially (but unknown to me) nice integration points between DLP and CA's Identity and Access Management suite but I'm going based on the demo and calling it as I see it.

I did try to dig a little deeper into Enterprise Log Manager's features however, mainly because it's brand-spanking new. The only problem with Security Information and Event Management (SIEM) products is that you can't really get a handle on how good a product is until you get your hands on it. Dave assured me that installation is a breeze and that it can even be deployed as a virtual appliance, which I have no reason to doubt. From a technical standpoint, this is not difficult to achieve.

Good SIEM products tend to be measured by the ease of integration, number of standard collectors to other systems and reporting capabilities. The questions I asked Dave were driven by these factors and I gathered that Enterprise Log Manager is still very much a 1.0 product (that is, fairly immature). As an example, Dave mentioned that the product was tightly coupled with their IAM solutions. CA is probably referring to the fact that they can reference policies defined in some of their IAM products (although I'm not sure how deep or wide this integration runs) and have Enterprise Log Manager report on policy violations. But from a customer standpoint, I would expect that this also means I can point Enterprise Log Manager at any CA IAM product and have it be able to collect all relevant user events and report on them without much effort. Unfortunately, this is not the case (I'm sure CA will correct me if I misinterpreted Dave's comments). There needs to be some level of work done to have collectors that can pull information out of the other CA IAM products.

This is not to say there aren't any standard collectors, but I got the impression that this covers the main operating systems and some standard security devices but not much else. The thing about a lack of collectors however, is that the issue fixes itself over time because the more a product is deployed, the longer the list of standard collectors gets. CA needs to build standard collectors for their other IAM products sooner rather than later (I would start with Access Manager, Access Control and DLP). You cannot claim to have tight integration with your own suite of products if you don't at least have these products sorted.

The reporting capabilities seem to be a little more fleshed out. The vision for reporting is that customers use a combination of standard reports, services and new report packs that CA sends out from time to time. The list of standard reports includes many of the usual regulatory suspects, but in my experience these types of standard reports tend to need customisation to meet business needs. For customers that don't feel like using the standard reporting interface, there is a level of integration with SAP BusinessObjects Crystal Reports.

I'm not trying to belittle CA's SIEM efforts. They obviously see SIEM as part of their strategy, but they are a little late to the party on this. It doesn't preclude them from trying however, and at least they have now arrived at the party. I think they knew they weren't going to get a market-leading product at the first attempt. They made the decision to build the product from scratch and they would have been foolish or delusional to expect a world-beater at the first attempt. It does seem a little puzzling why they didn't choose to acquire a leading SIEM player and went with the build approach instead.

As is the norm with these discussions, I tend to ask about things not related to the news at hand as we move past the main items of discussion.

My first unrelated question related to the IDFocus product they acquired and whether any part of that solution made it into the 3 new products. The answer was no because even though it has some level of potential integration with role and compliance efforts, it fits best into the Identity Manager product where it helps to link business processes with provisioning requirements.

My second unrelated question was around the notion of having a central policy management point for all the products (like Symantec and McAfee are trying to do with their own products). The point of this question was to gauge if CA's strategy includes the centralisation of policy management. I didn't expect much because it's actually a VERY difficult thing to do and very few of the large IAM suite vendors have the appetite to invest in this area. I'm not talking about the engineering aspect, which is simple when compared to the actual analysis behind how one would rationalise all the different ways policies could be represented and trying to figure out how to apply an over-arching model to a large portfolio of products. Add DLP to the mix and it gets exponentially more complex because of all the data-centric requirements. For the record, Dave's answer was that the focus shouldn't really be on having a central policy store or management point. It's more about having the right processes occurring between the IAM products to ensure the correct policies are in place at the points where they need to be applied.

Overall, I think CA's got the right idea in terms of strategy. Whether their products are able to deliver remains to be seen. They've got some serious integration work to do so they can get a more coherent story out there and have products that deliver on the promise they are showing. CA does have a trump card to play that their competitors don't have (yet), and that's the DLP product. As I've said before, identity and data security go hand in hand.

CA continues their GRC march

I've observed in the past the CA looks to be getting serious about this whole Governance, Risk and Compliance (GRC) caper. Today, they released version 2.0 of their GRC Manager. I first found out about the impending release some time last week when CA got in touch offering a briefing, which I accepted (Aside: I usually accept these requests unless there's a conflict of interest on my part).

I spoke with Marc Camm (SVP & GM, Governance, Risk and Compliance Products), Tom McHale (VP of Product Management for CA GRC Manager) and Sumner Blount (Senior Principal Product Marketing Manager for Governance, Risk & Compliance) regarding the release. Apart from the press release, CA's also made a blog post and a video. There's even a few screen shots. All I can say is that they've gone all out to get some discussion around the release.

I won't rehash any of the stuff CA's already put out there because I really hate when others do it. What I will say is that version 2.0 is centred around what CA calls Risk IQ, which is another way of saying they want to help turn raw data into useful information that organisations can use to make better decisions around risk. This however, has always been the "holy grail" of any product with "risk" or "monitoring" as part of its features. Whether CA's Risk IQ delivers on promise remains to be seen. 2.0's features are essentially all the useful "risk bits" they didn't put into version 1.0. It's available via the standard off-the-shelf model we're all so used to, a managed services offering or the SaaS version (CA GRC On Demand).

Some other things I did pick up during the conversation:

• CA did not deny that there would still be a sizable amount of "heavy lifting" done by organisations and implementation partners (such as PwC). GRC Manager is simply a tool to facilitate risk and compliance requirements.
• GRC Manager leverages the IT Unified Compliance Framework as a way of attempting to implementing a core set of policies that allows for easy expansion for use with regulatory requirements (e.g. Sarbanes-Oxley, HIPAA). Note: a lot of the large vendors take a similar approach - for example, IBM Tivoli likes COBIT.
• CA runs their GRC and Security divisions as separate business units. In other words, they will ensure they integrate nicely with the Security products but are just as happy to integrate with other Identity and Access Management suites (this is "toe the company line" speak for "we don't really care if our potential customers don't use CA's security products"). I asked them how they saw the recent acquisitions of IDFocus, Eurekify and Orchestria and they said it was great to have as additional tools for integration within the CA family, but don't have any plans for wrapping GRC Manager around them as they belong to the Security division.
• One thing I wanted to clarify for my own understanding was whether they saw GRC Manager more as an identity-focused, operations-centric GRC tool or an enterprise GRC tool. The answer was that GRC Manager is an enterprise GRC tool, a "manager of managers" if you like. In other words, GRC Manager competes more with OpenPages than it does with SailPoint.
  

Relatively speaking, CA are just their GRC software journey, but I think they've got a head-start on many of the other large vendors they are usually pigeon-holed with (except for Oracle, who have a genuine claim to at least be on par, if not ahead). I'm not sure if they're quite there in terms of functionality when compared with some of the established smaller players (e.g. OpenPages) but they certainly have the ambition and company focus to get there. Once again, it'll be about execution (and perhaps the odd acquisition here and there).

CA acquires Orchestria

I noted late last year that CA seems to be sprinting towards 2009. Looks like they haven't stopped and have bolted out of the blocks in 2009 by announcing the acquisition of Orchestria. My Identity Management (IDM) and Data Leakage Prevention (DLP) worlds are colliding here so I felt the need to say something.

I should note that this post focuses on the acquisition. I'll be doing a follow-up post regarding why I think IDM and DLP are complementary solutions and fit well together.

CA are one of the leaders in the Identity and Access Management software marketplace. Most would group them with IBM, Oracle and Sun as the leaders. As I've said recently, they've been going from strength to strength and I probably don't need to say too much more about them at the moment.

Orchestria are a very strong player in the DLP space and well respected. They are a very strong competitor to Symantec (they acquired Vontu, who many considered to be the leader in DLP software) and have the typical DLP components covered off: endpoint controls, network monitoring, data-at-rest capabilities and email server controls. I haven't actually seen their products in action so I can't comment on whether they can do everything they claim, but they tick most of the boxes on a marketing slide and in RFPs. In other words, CA made a good choice in picking Orchestria from a "perception" standpoint. If the technology works as specified, they're on to a winner.

What this means is that CA's got a head-start on everyone else. It'll be interesting to see what they do with it. Early signs are good because they've already stated they see close links with their IDM suite. They may need to watch IBM because IBM ISS offers a data security managed service, but IBM as a whole will never be able to get their act together to compete (if someone wants a combined IDM + DLP solution) unless Tivoli acquires the other vendors mentioned (one of which is Verdasys, who I used to work for). As an aside, the gentleman who runs CA's Identity and Access Management EMEA organisation knows his DLP. How do I know this? Because we used to be colleagues at Verdasys. So there's another "tick in the box" for CA.

I haven't been able to find other commentary on this acquisition (apart from publications spitting out the press release) except for this article from NetworkWorld. Dave Hansen, CA's corporate senior vice president and general manager, CA Security Management is quoted as saying:

"We were not competing in this space, and our two main competitors don't have data-leak prevention."

He's referring to IBM and Oracle if my interpretation of the article is correct (he's mostly right if you don't count the IBM ISS capabilities I mentioned above - I think he's referring to IBM Tivoli Software though so I'll let it pass). In fact, the only Identity and Access Management vendor that sells DLP software is RSA (via their acquisition of Tablus) in the form of their DLP Suite. Unfortunately for RSA, they still don't have a provisioning product, which is why none of the large IDM suite vendors ever thinks of them as being a serious competitor. I should point out that Novell has some data security stuff, but nothing that would make anyone take them seriously.

The article also makes reference to Dave's comment as follows:

"While CA says its primary competitors in the identity and access management market -- IBM and Oracle -- don't have such DLP capabilities, Symantec does."

I don't mean to pick on the article, but what's the point of mentioning Symantec? It might as well have said McAfee...or Trend Micro...or any vendor that has Antivirus products and claims to also do DLP. Kaspersky, Checkpoint, Sophos...I could go on but I won't. I think the writer's referring to the fact that CA and Symantec are competitors in the security market, but we're talking Antivirus products and NOT Identity and Access Management software (where Symantec are not a player).

All things considered, this is a good move for CA.

Update: My post on why I think IDM and DLP are a good fit is here.

CA sprints towards 2009

Oracle acquired Bridgestream (I wrote about this here). Then Sun acquired VAAU. Now CA's acquired the last remaining high profile role management player, Eurekify.

First of all, congratulations to founder Ron Rymon (he's the only person from Eurekify I've actually met) and the team. As I said to Ron earlier this week, it makes a lot of sense and I think it's a good fit.

I've written about CA's moves in the past and also mentioned the CA-Eurekify partnership in passing. It looks like they're keeping the momentum up and making a lot of headway towards competing with the other leaders in the Identity and Access Management marketplace.

I don't think the Eurekify acquisition is going to change the landscape too much mainly because of the existing partnership. The initial benefit is going to be that their sales reps probably get paid more commission for selling "CA Role Manager" or whatever they call the Eurekify product. In the longer term however, they're obviously going to have to integrate Eurekify's products into the CA stack so there's eventually going to be the "out of the box" integration benefits. Of course, the main benefit to CA as a company is in being able to market the fact they are now a serious role management player (along with Oracle and Sun).

The Eurekify acquisition also plays very nicely into CA's move towards being a strong GRC player. Eurekify's product set does include some GRC components geared towards identity compliance with an obvious focus on roles. CA's existing GRC Manager lacks some of the features around the identity-centric compliance niche that SailPoint and Aveksa play in but I'd be very surprised if CA doesn't fill the gaps using Eurikify's technology given that Sun just released their Identity Compliance Manager (which I believe was based on VAAU technology - all you Sun bloggers can correct me if I'm wrong about this) product and the fact that Oracle has something along these lines on the roadmap (according to Amit Jasuja when I spoke to him).

CA compounded their GRC march this weekend at CA World by announcing a Software as a Service (SaaS) version of their GRC Manager product, dubbed GRC Manager On Demand. This makes them the first large Identity and Access Management software vendor (the others being IBM, Sun, Oracle and Novell) to release a SaaS offering. I'm unsure how well it's going to sell given the results of my Managed Identity Services survey but what it does show is intent on CA's part to get serious about competing and getting ahead.

Oracle, Sun and CA have been very active of late. IBM and Novell have not. In fact, they have been VERY quiet. IBM will actually be releasing a new Entitlement Management product later this year but that's a little ho hum as I've already said. I have a feeling something is brewing because IBM and Novell cannot afford to sit around and watch everyone else get waaaay ahead. Novell's Access Governance Suite is an OEM of Aveksa's software. In other words, if Novell acquires someone in the role management/identity compliance area, my money's on Aveksa. This leaves IBM and SailPoint as the remaining pair. Watch this space.

CA positioning itself to be a GRC vendor that matters

I've been away for the past week on a short break (Athens and Santorini - if you haven't been to Santorini, you MUST add it to your to-do list). Naturally, that means that I've missed a whole bunch of news and have to catch up.

CA made a bunch of announcements last week regarding their line of security related products. The first about a new release of CA Identity Manager, another regarding CA Access Control, a third referring to CA GRC Manager and the last in relation to a brand new product called CA Security Compliance Manager.

I found the Identity Manager and Access Control announcements boring because they are just upgrades to existing products which almost all their competitors have. Upgrade announcements are boring because they are about new features which no one will really understand until they see them in action...and even then the competitors will all say "oh yeah we can do that too" even if they can't and just get the sales engineer to hack something together for the demo or POC that looks like it's out of the box.

I found the other 2 announcements much more interesting from a strategic standpoint...

The first thing I noticed was that they are sticking to the industry norm of using a completely boring name for new products while at the same time managing to use the same name as another vendor (e.g. all the major software vendors have a product called Identity Manager which does all the provisioning, de-provisioning, password management and account workflow related activities). In this case however, they have managed to use the same name as a product IBM has (Tivoli Security Compliance Manager) but for a completely different purpose.

The second thing I noticed was that they suddenly have 2 GRC centric products. If you are a regular reader, you'll know that I'm now doing some work in the GRC area after my year long sojourn into DLP so anything GRC related gets my attention.

Like many industry terms floating around (especially newer ones), GRC means different things to different people. It also means there are many software vendors out there claiming to solve all your GRC problems. What people don't necessarily always understand is that there are many different approaches (and drivers) for a GRC program within an organisation. Most commonly, a GRC initiative is viewed from one of the following angles:

• Risk Management
• Finance/Audit
• IT Security
• Business Controls/Operations

This is not an exhaustive list and most of the time there's a fuzzy line between each. In other words, there's always going to be overlap. I should also point out that an approach is not necessarily the same as a driver, but they can be the same thing. For example, the driver might be that the organisation needs to meet regulatory requirements. The combination of the regulatory requirements and the business areas affected will determine what approaches need to be taken. Or the driver might simply be that business controls need to be better monitored, controlled and audited to improve the bottom line. In this case, the approach is the same as the business driver.

As a result, there a lot of GRC software vendors that don't necessarily compete with each other even though at first glance you might think they do (usually because they stick the term GRC in their description). In fact, it makes sense for a lot of vendors out there to partner with each other to provide a more complete solution for organisations because none (including the large vendors) actually cover off the entire GRC solution. Whether an organisation needs the complete solution is an issue for another day.

Here's why the CA annoucement is interesting. CA GRC Manager looks to be enterprise risk management focused. They've now added CA Security Compliance Manager which looks to be IT Security focused. It's starting to look like organisations have decided that IT Security Governance needs to be centred around identities, which is why IT Security GRC is sometimes referred to as Identity Centric GRC. In my opinion, this means CA Security Compliance Manager competes directly with the likes of Sailpoint and Aveksa. Notice that I haven't mentioned any of the large vendors (e.g. IBM, Oracle, Sun, Novell, SAP) in this space. This is because they don't have anything that competes. Here's why:

• IBM don't have a GRC product. They use a combination of IBM Tivoli Identity Manager (ITIM) and IBM Tivoli Compliance Insight Manager to do GRC-like tasks. IBM, I'm afraid nice looking reports and some ugly ITIM screens that do some level of attestation but business users can't figure out how to use doesn't cut it.
  
• Oracle have a product, but it hooks into all their Finance, ERP and CRM applications. This means it's very focused on business controls.
  
• Sun thinks Role Management = GRC. I have news for you Sun. Even in combination with some of the things Sun Identity Manager does, you're still not there.
• SAP have solutions, but they all hook into...well, SAP! Just like Oracle, it's focused on business controls.
• Novell are even worse off than the others because they are still peddling their provisioning and access control solutions as being able to solve all your governance and compliance problems.
  

It looks like CA is ahead of the curve in this case. Keep in mind I'm talking strategy and ability to execute and bring something to market. I'm sure all the other large vendors I've mentioned have some sort of plan. A lot of the discussion behind closed doors is probably around who they should acquire to fill the gaps. That said, the new CA Security Compliance Manager doesn't look to have some of the functionality that Sailpoint and Aveksa have, but they've essentially just released a version 1.0 of a product and they have the marketing dollars to make up for it in the initial stages. They can also claim to have integration into their GRC Manager product and their Identity and Access Management suite so that's also a leg up on Sailpoint and Aveksa because they can sell the "suite concept" instead of convincing organisations to go with a "best of breed" approach that smaller vendors have to preach.

Thinking out loud, it might make sense for CA to partner with SAP on a joint GRC marketing campaign. I seriously doubt Oracle (or CA) will agree to such a concept. Or maybe SAP should just buy CA and be done with it.

CA and BEA IAM partnership half assed

CA and BEA have announced a strategic partnership to integrate CA's Identity and Access Management suite with BEA's WebLogic and AquaLogic products. You may have noticed I called this a "half assed" step. In other words, I don't think it'll be particularly successful. Let's analyse it shall we...

First of all, each has a product that competes with the other in the security and identity space. CA has its Embedded Entitlements Manager while BEA has its AquaLogic Enterprise Security product (don't get me started on what a stupid, generic name this is - did they seriously pay someone to think up the name? I hope not!). What's a customer to do? Pick one over the other? I want to be a fly on the wall when BEA and CA go to a customer pitching the combined solution and the customer asks about entitlement management (just another name for authorisation management - see my thoughts on this here) and what product they should use to fit in well with the proposed, combined, "nicely integrated" CA/BEA solution. Is each side going to stab the other in the back and tell the customer in side conversations why they should go with CA? Or BEA? Not a good look guys...especially when trying to present a unified front.

Secondly, this statement from the press release is just stupid:

"CA will include WebLogic Server Premium Edition evaluation license with CA Identity Manager as the application server of choice for CA IAM technology."

If you want someone to use your solution, give them a full version. Evaluation licenses suck. And when you give out an evaluation license when trying to get someone to use it, that's just stupid. So maybe BEA doesn't want people using the WebLogic server without paying for it. Here's the solution. Limit it for use with CA Identity Manager and CA Access Manager. If they want to extend the use of the WebLogic server, then they can pay for the right to do so. Here's what's going to happen if you stick to this limitation:

Customer: I want to buy CA Identity Manager and CA Access Manager based on that quote you gave me.
CA Sales Rep: Cool. Thanks very much. Now, our strategic partnership with BEA means that our products work best with WebLogic and it will be best for you to use it.
Customer: Ok. So I can just run this on WebLogic when I deploy it right? No strings attached.
CA Sales Rep: Actually, you get an evaluation license so you can probably run it in development and when you decide to move forward into production, you'll need the full license.
Customer: What do you mean full licence?
CA Sales Rep: You'll need to purchase it from BEA.
Customer: Isn't that included in the quote you gave me?
CA Sales Rep: No. You'll need to talk to BEA about that.
Customer: Why didn't you include it in the quote?
CA Sales Rep: We wanted to keep your costs down and give you a choice of application servers...but I'm just telling you it works best with WebLogic.
Customer: Ok, what if I don't have the budget to buy WebLogic licenses?
CA Sales Rep: Oh, our solutions work nicely with other application servers that we support too. You don't need to worry about that.
Customer (feeling a little cheated): Ok, but you're telling me I really should be paying more money to run it on WebLogic because it runs better?
CA Sales Rep (sensing he may lose the sale): Oh I didn't mean that. It just has more integrated pieces but we don't enforce that you run it on WebLogic. Our products are extremely stable on other application server platforms.

What do CA and BEA get here? A customer feeling cheated, CA trying to save the sale by cutting BEA out of it and BEA not knowing any better and losing a potential sale...not to mention gaining some negative perceptions from the customer as a result. If they had been up front about using BEA, the situation would probably be better for all (including the customer) from a relationship standpoint...but it would cost more. So, if you're a CA Sales Rep, what do you do? More than likely, you don't put it in your quote!

If you turn the tables and look at what BEA would do from a sales standpoint, they would probably do the same thing. Say that they work best with CA if a customer wants identity management, but that they could easily run another vendor's product (assuming the other vendor supports WebLogic). The BEA sales rep doesn't care - they just want the sales revenue.

The ONLY way this is going to work is if BEA chooses to ONLY support CA as a vendor (in this space) and CA chooses to ONLY support running their software on WebLogic. I really don't see this happening from a business standpoint. It would limit their routes to market and seriously handcuff their sales force. There are probably sales incentives in place to try to make this work, but if you're a sales rep and had to choose between having a 25% chance of a sale involving CA and BEA but gave you more commission and a 50% chance of a sale which didn't include the other vendor and gave you a little less commission, which would you pick? Almost all sales reps would go with option 2!

Another area of focus for this partnership involves engineering and development. The press release states:

"The two companies plan to validate and further extend integration between CA SiteMinder and BEA WebLogic and AquaLogic technologies, while also collaborating on identity and access management standards."

All this means is that they'll have regular calls, meetings and group hugs. They'll share a few APIs around and that'll be it. Sure, some APIs shared are probably not public APIs, but anyone with a decompiler can figure out what these are. They may get some priority support when they can't figure something out and will be able to have access to the guys who know what they're talking about in the engineering teams. But ultimately, these are still 2 different companies. The "open the doors, lift up the kimono" policies only go so far. The "super secret" stuff and strategic discussions will not go beyond company walls. So CA and BEA will simply treat each other like they do other ISVs. The difference is that they probably have a secret "Bat Phone" where they can call each other. That's about it.

The last area of focus is apparently on sales and marketing where they will:

"Implement marketing and sales programs to communicate the value proposition of their joint solutions to current and prospective customers and proactively team together on customer opportunities."

It sounds like someone in marketing wrote that statement alright. It means nothing. Ok so CA and BEA will throw some money in the pool and pay some agency to come up with something for them jointly? As for their ability to proactively team on customer opportunities, I think I've already outlined earlier in this post how that will go.

And to finally prove to everyone exactly why this won't work, they had someone from legal go through the press release and add this gem to the end of the statement:

"Some of the statements in this press release are forward-looking, including the statements regarding the plans, goals, completion, implementation, benefits, and details of the relationship between BEA and CA; the companies' further investment in development efforts, product delivery, validation and extension of products and other goals related to this relationship; and the ability of BEA's and CA's partnership to reduce customer costs and improve customer performance. Actual results could differ materially from those expressed in any forward-looking statements."

Way to instill confidence in the market guys...especially while you're trying to convince everyone this will work. If you're not sure if it'll work, why announce it? Why not go behind closed doors and nut it all out...do sound joint marketing and sales calls and see how it works? Don't announce something and then shove a disclaimer in there that says "hey, don't sue us if it doesn't pan out. Even we're not sure if it'll pan out."

Even within companies that own all the technology involved, these issues I've mentioned above happen. The difference is that someone in a position of power within the company can sort the issues out. I worked for IBM...I know what can happen. But I also know that higher powers that be can usually fix the politics...even if the sales guys aren't happy about it. It's usually about what makes the customer happy. If it means some sales guys aren't happy, so be it. I mention IBM because if we're talking about Identity and Access Management suites and Application Server/SOA technologies working together, IBM has Tivoli and WebSphere. Similarly, Oracle has their Identity and Access Management suite and the Oracle Application Server. The story also rings true for Sun.

This may be CA and BEA trying to catch up to the pack that is IBM, Oracle and Sun. That's the only thing that makes sense. CA doesn't have a footprint in the SOA/application space. BEA doesn't do Identity and Access Management. The pieces fit if you take a 100,000 foot view. Analysing it further however, the picture is not so rosy.

If CA and BEA want to make this work properly, one of them has to buy the other one. Hey, it makes sense doesn't it? They each have the pieces that the other is missing. Is this where they're headed? Is this announcement a prelude of things to come? Wouldn't surprise me one bit in the acquisition hungry technology world of today.

CA jumps on the identity monitoring bandwagon

CA's just released an update to their Wily Introscope application management software with their Wily Manager for SiteMinder Web Access Manager. It is supposed to:

• Monitor SiteMinder policy server and agent performance and availability.

• Correlate Web application performance with SiteMinder performance.

• Determine if SiteMinder is impacting performance.

• Facilitate collaboration between application support and security team.

According to CA it:

"provides comprehensive, real-time metrics such as: average response time for login; successes, failures, and errors per measurement period; and socket availability for SiteMinder processes. Wily Manager for SiteMinder collects this information from SiteMinder Policy Servers and SiteMinder agents for all Web server and application server transactions into a single view that enables application support and security specialists to collaborate and better understand how authentication performance affects their Web applications."

It's also interesting to note that this functionality was built into their Wily Technology infrastructure (which CA acquired in early 2006) instead of their Unicenter infrastructure. Looking through their systems management portfolio however, it makes sense as the Wily products focus on web applications while Unicenter focuses on the traditional enterprise architecture components such as networks, mainframes and midrange servers.

It looks to be a much more focused monitoring offering than IBM's (which I blogged about here) and Oracle's (which I blogged about here) from an access management product perspective. It addresses a few things that customers have commonly asked for in the past, most notably the need to figure out how much impact the security infrastructure is having on the performance of their applications. None of the vendors have been able to give a satisfactory answer here. At least now, CA can monitor it.

That's not to say CA are ahead of Oracle and IBM. They've just chosen to focus on another aspect of monitoring their Identity and Access Management infrastructure. Strategically, the three vendors look to have taken the following approaches:

• Oracle - Sink their teeth deeper into becoming a Systems Management vendor and do this by releasing a fully functioning (that's debatable as I have yet to see it in action) software product for their Identity and Access Management suite, which is proving to be an area of focus for the security market and as a result is gaining mind share and respect for Oracle in the security space.
• IBM - Address a customer need by addressing the issue at a high level and providing basic functionality. They have not released a full product yet because the functionality provided does not warrant such a move and doing so would see a backlash from customers and unfavourable views from the industry. This is also why they have released this integration component free (assuming customers already have the relevant Tivoli products required at either end). They have probably released this in preparation for a bigger, more fully featured release of their monitoring suite focusing on the Identity and Access Management products.
  
• CA - Address a specific need of their customer base and do it better than their competitors while giving up some of the selling advantages of being more general in their approach like IBM have done.
  

These are 3 very different approaches and each has its reasons for doing so. The point to make here is that these 3 big vendors are finally realising that they need to address this pressing customer requirement that they've been putting off for so long. The one who executes the best strategy will have a HUGE advantage in the Identity and Access Management arena.