More on this WAM thing

My last post generated more interest than I initially expected. I guess it's one of those dormant issues that people have come to accept because it's just how the large vendors sell their Web Access Management (WAM) products (i.e. software).

I asked a few questions in a couple of sections and P2 Security's CTO, Jeff Gresham has responded by way of a comment. For those of you reading this via the RSS Feed and don't feel like clicking through, I'll repost it here:

"Ian,

We appreciate your interest in our maXecurity product line.

The technology team at P2 Security has been deploying conventional Web Access Management solutions at medium to large enterprises for the better part of a decade. It was our experience with deployment, maintenance and compliance issues that motivated us to develop our appliance-based maXecurity solution.

With maXecurity, we have adopted a "fewer moving parts" philosophy, and have collapsed the conventional three layer architecture (web agents or proxies + policy servers + policy store) to a two layer architecture (proxy appliances + policy store). We see this as a distinct advantage in terms of hardware cost, as well as deployment and maintenance effort, all of which translate to a lower total cost of ownership for our customers. Since a maXecurity solution includes hardware, customers are not required to acquire and deploy any additional hardware or software for a policy server layer. Also, no OS-level system administrators are required to maintain Unix- or Windows-based policy servers. Between hardware and IT staff, we have observed large enterprises (with 100s of thousands of users and hundreds of protected web applications) spending millions of dollars per year on WAM policy servers. By eliminating the policy server layer, these costs can be avoided, with the resulting savings allowing customers to achieve ROI in a matter of months.

With regard to your question: "...how [do] they manage security policies when someone decides to buy more than 1 appliance," maXecurity appliances are grouped into clusters that share the same policy configuration. All policy information is maintained in a centralized LDAP policy store. Policy changes are made from any appliance, written to the policy store, and all other appliances in the same cluster will detect the changes in the policy store and enforce them locally. Any combination of maXecurity Basic (500 users), maXecurity Pro (5000 users) and maXecurity Enterprise (50000 users) appliances can make up a cluster, allowing a maXecurity infrastructure to scale from the smallest to the largest enterprise.

I hope that I've addressed your questions regarding our maXecurity product line.

Jeff Gresham
Chief Technology Officer
P2 Security LLC"

There is some truth to what he says. Of course, it doesn't mean it is any easier to manage from an overall standpoint. I maintain that it is still a point solution for those that have a specific need to address their Web Access Management problems.

Why did it take this long for someone to build a Web Access Management appliance?

Many IBM Tivoli (and ex-IBM Tivoli) people have been saying for years that IBM Tivoli Access Manager's WebSEAL component should be an appliance, not a piece of software you have to install. For those not familiar with IBM Tivoli's security products, WebSEAL is the web proxy that typically sits in the DMZ of your network and performs the authentication and authorisation for your Web applications. I won't go into a sales pitch about why that's a good thing. If you really want to know, ask your local IBM sales rep or send me an email via the contact form on this blog and I'll get back to you.

For one thing, an appliance will generally perform better. Extremely handy when it's the front door into your enterprise web environment. IBM will not disagree because they have an appliance product doing what WebSEAL does, but for Web Services. It's called WebSphere Datapower, which was technology IBM bought via the acquisition of Datapower in 2005. The specific appliance I'm referring to is the XS40, which I also had to know about for some time until IBM finally decided to stick it once and for all under the WebSphere brand. To be fair, it does have integration points into IBM Tivoli Federated Identity Manager so all you IBM security people shouldn't be ignoring it.

It's also become somewhat of a commodity. Every major vendor has one, calls it "Access Manager", delivers it on a CD (meaning it's software) and all have very similar core functions. They are just architecturally different. I suppose it wasn't worth the effort to make it an appliance even though it made sense. All these "Access Manager" products have been selling just fine as software components.

I've been catching up on my news items (when am I ever not) and stumbled upon these guys. They are P2 Security and have built exactly what I've just described. An appliance that does Web Access Management. They even have a comparison matrix against the big vendors, which by the way isn't exactly accurate. I already see some "crosses" against IBM that I know should be "ticks".

The one beef I have with this appliance from P2 Security is that they count having a policy server as being a negative (see the comparison matrix). I don't see why that is the case? They may argue that it presents management overhead. Sure, but I don't see any mention within their collateral of how they manage security policies when someone decides to buy more than 1 appliance.

If you are in the security game, you know it's a pain in the behind to have to change security policies (or any policies for that matter) in multiple places. Are they saying that if you have multiple appliances, each time you change the policies on one of them, you have to do it for the others? It may be tolerable if it's a simple policy change, but security policies are not usually simple when it comes to authorisation (aka entitlements, although in this case I don't think the appliance can get fine-grained enough to qualify as doing any real entitlement management). Any decent technology company will have an answer for my question, so perhaps they've already thought this through. I just can't find it on the site (maybe I'm not looking hard enough, but it's late so give me a break).

The main point to make here however, is that it remains a point solution. Useful if you are a small organisation that only wants to do Access Management for your web applications, but if you want a more coherent and integrated Identity and Access Management solution, you should probably go for one of the large suite vendors. That said, I applaud P2 Security for delivering what many have been asking for (but vendors have not bothered to build because the ROI on the effort didn't make sense).

Of course, they are a perfect target for acquisition by an Identity Vendor without an access management product. Did I hear someone say Courion?