Cisco wants an identity and entitlement aware network

I've mentioned Securent a couple of times before and have had various opinions about the company and Authorisation/Entitlement Management in general. I've even had a bit of a debate with its CEO Rajiv Gupta both online and offline (via email).

In one of the "what the F*$&" moves of recent times, Cisco just acquired Securent for $100 million. In a side note, Securent curiously also announced guidelines and tools for centralising the management of entitlements. I think this is somehow going to get lost amongst all the talk about the acquisition.

There's plenty of informed commentary about it by Dave Kearns, Jackson Shaw, Ian Glazer, the Burton Group, and Dark Reading so I won't comment too much other than to say I agree with a few things various people have said:

1. Securent will form the basis of Cisco's centralised, network based entitlement/authorisation service. Why? Because Cisco said so.
   
2. Cisco is trying to bridge the gap between Identity on the network and Identity in the application world. They are not the only company doing this, but they are the most influential because they are Cisco. It's still true that in many circles today, the network = Cisco.
   
3. Cisco understand (or at least hopes that organisations understand) that Enterprise Identity and Access Management needs the network to play its part around user identity and context to have a truly coherent enterprise security infrastructure that works. I'm not saying it's easy. I'm just saying it needs to happen.
   
4. Securent will get lost in the big juggernaut that is Cisco, be consumed and eventually forgotten by virtue of being absorbed into a company as big as Cisco. So much for that great marketing team I've complemented before.
   
5. Why the heck did Cisco start its march into the identity space with Securent? It's a little puzzling, but I suppose the other "hot mature vendors" had already been gobbled up by the likes of IBM, Oracle, CA and others. Cisco is behind in this space. The fastest way forward when you are behind is to be disruptive. Maybe that's what they are going for. They need to be relevant in this area if they are to continue being dominant in the networking world.
   

In good company

The guys over at Securent have started a blog dedicated to discussion around entitlement management (EM). It'll be interesting to see what type of content gets posted on there and exactly how much discussion it will facilitate. They're off to a decent start I suppose, getting Gerry Gebel from the Burton Group to contribute. There's no real meaty content yet however. Securent CEO Rajiv Gupta's entry is the stock standard spiel about EM.

The only reason I found out about this site was through referrals to my blog. I'm starting to see traffic from www.entitlementblog.com and was wondering how in the world this was happening. So I checked it out and was surprised to see my name on the blogroll amongst some illustrious company.


I thought I should take a screen shot before they realise I'm not worthy of being amongst the names on that list :)

Securent bandwagon getting heavier

One of the most widely read posts on this blog is my rant on entitlement management and Securent. If you've read it, you might have also noticed my "conversation" with their CEO Rajiv Gupta in the comments (incidentally, I never did get a response to the last email I sent him asking for a clarification - but I'm sure he has better things to do than debate the point with me...like marketing his product for example).

They've been getting more and more positive press coverage lately (here, here, here and here). And this week one of the louder voices in the identity community also jumped on the bandwagon. Dave Kearns made mention of Securent in this NetworkWorld article a few days ago. Again, it was positive.

I'll say one thing. Their marketing department is doing a great job of positioning Securent in a positive light in the marketplace. I have yet to see any negative buzz relating to them (apart from my rant). They've also recently announced the expansion of their leadership team so they are obviously doing very well.

I have nothing against Securent and their place in the market. More power to them for attacking the niche of authorisation management and realising it's been the poor cousin to identity management for awhile. Shame on IBM, CA, Sun, Oracle, BMC et al for not realising the potential and doing something about it...from a marketing standpoint (actually CA sort of have, but they only made a half hearted attempt and have not gotten any mindshare).

And that's exactly my point. Securent are winning on marketing. Their decision to use "entitlement management" to differentiate themselves from the pack has been a masterstroke. The less informed amongst us seem to think just because it's not a term they've heard before, it must be new. It's not. Like I've been saying over and over again, it's just authorisation/access management re-badged. Anyone who believes otherwise has been "marketed".

Entitlement Management is NOT a new concept

Seems to be a fair bit of hype and marketing about the supposed "new" area of Identity Management called "Entitlement Management" and a particular startup called Securent. InternetNews.com, NetworkWorld and DigitalIDWorld (to name a few) have all talked about it as being the "new frontier" even suggesting that Securent is the only startup in this area.

I beg to differ and I'd be willing to bet any vendor or startup out there dealing in network or application access control will no doubt have something to say about that. It's just that it hasn't been marketed well enough in the past. This type of "entitlement management" technology has been around for YEARS. In fact, many of the access management products on the market are built on this type of idea and most offer APIs to allow the externalisation of entitlements. The only thing missing with many of the existing products out there is an XACML interface into them - and I dare say this is being rectified in a hurry.

All the hype-mongers out there should look a little deeper into the solutions out there before "announcing" the arrival of the "next big NEW technologies" and further adding to the hype. Perhaps organisations are starting to take a look at "entitlement management", but it's not new. The only thing that's happening at the moment is that marketing is catching up with the technology. Maybe the marketing departments have leaped on this concept as the next thing to go after because most of the other areas have been marketed to death.

It kind of makes sense because vendors are now beginning to work their way down the application stack in the identity space. Perhaps market research has also helped determine that the security maturity lifecycle of organisations is at this stage in their identity and access implementations. Regardless of the reason, the industry seems to have reached the point where it makes sense to specifically market fine-grained authorisation as a key component. In the past, this was simply "value-add".

InternetNews.com goes so far as saying some vendors don't have solutions in the "entitlement management" space and singles out IBM in particular. The writer of that article should really do his research a bit better. I have a tip for him - go read up on IBM Tivoli Access Manager.