In-Depth

CA Makes Federated Access Management Easier

Significant changes in CA products are worth a look

• By Chris DeVoney
• 12/12/2006

Last week, CA put a holiday bow around a series of updates to its eTrust line of identity and access management (IAM) tools. The best news for existing customers is that cooperation between business affiliates gets a boost in an update to its SiteMinder product.

The largest focus of the CA changes centers on solving business federation needs which usually invokes the holy grail of single sign on (SSO) with the myriad issues of cross-enterprise authentication and authorization. It’s not just whom you trust and by how much, but how.

According to Mark Diodati, identity and privacy strategies analyst at the Burton Group, the details of federation have been daunting for companies. “The toughest question of federation has been, ‘How do I set up (and maintain) all the trust relationships.’ That is a hard problem to solve—and not just for CA. Right now most companies do it on an onesie, twosie basis, but if the relationships are more numerous or dynamic, which Amazon.com is an extreme example, the challenges are huge.”

The interest in single sign-on and federation has ramped up significant in the second half of 2006, driven by the need for secure credentials across organizations. IDC estimates the market for federation identity management/SSO products was about $50 million in 2005, jumping to $200 million in 2006 and hitting the $700 million mark by 2010.

In that regard, the SiteMinder 6.0 SP5 release, which provides centralized user authentication and access control for Web applications and portals, takes on some of its share by adding support for Microsoft Active Directory Federation Services (ADFS) so the same popular identity/authentication store used by a company can be used by trusted partners.

Additionally, SiteMinder added tools to speed provisioning within the deploying company and a new federation "end point" based on technology acquired from Ping Identity to speed provisioning between the deploying company and its affiliates.

Strong forms of authentication, such as tokens, smartcards, and biometrics become simpler to integrate and associated applications are easier to group in SSO "zones" across the enterprise.

Also sporting incremental revision is Identity Manager 8.1 SP1, which includes connectors for smart card management and point-and-click development of RDBMS connectors. Access Control 8 SP1 gains include support for server virtualization offered by Solaris 10 Zones and VMWare ESX server. Mobile workers get the biggest boost from Single Single-On 8.1’s support for SSO to client-side applications that also extends to times when the system is detached from the network.

The rechristened Embedded Entitlements Manager 8.2 is the software formerly known as the IAM Toolkit and used for internally-developed applications. The version now sports support for the XACML, SAML, and SPML standards, easing interoperability with third-party authentication, user administration, and policy-management systems. C# was added to the existing Java and C++ as development languages.

According to Sally Hudson, research director at IDC, SiteMinder is “an extremely important piece of infrastructure for many huge organizations” and the update releases is keeping up with the customers’ needs. “Provisioning has vastly improved to accommodate the large number of resources and people in these relationships,” she stated, but also cautioned, “There will still be tweaking and bumps depending on what systems are already in place.”

Burton Group’s Diodati lauded the addition of smart card support as important for corporations using hardware tokens for identity management, and felt the ADFS support significant for the large number of partners that run Microsoft Advanced Directory.

Diodati also felt the federation end-point represented a significant change. He noted that a vanilla-type federation service could be prototyped in a couple hours but even more complicated services could be tested and deployed under a couple weeks. Diodati believes the benefit for existing SiteMinder customers is that ability to quickly produce a “leaner, meaner, more nimble solution via the federation endpoint that companies can hand to their partners, particularly smaller partners who don’t have the resources to develop their own.”

The CA revisions are significant but don’t significantly leapfrog the competition, including IBM. When asked, Hudson didn’t see that as a problem, since she sees IBM and CA solutions working side-by-side in many shops and IBM has greater inroads legacy applications via its RACF mainframe authentication security.

Although single sign-on is attractive, federated single sign-on still has impediments, particularly in industries with significant privacy concerns, such as health care. In my view, a partner company may have signed a HIPAA-mandated business associate agreement, but I can’t trust all employees listed in their directory store. Assigning levels of trust for those I do trust is as rigorous, if not more so, than the assignment of any internal employee.

In those cases, the simpler solution is to issue your own credentials to the partner employees. It adds burden to the employee, your IT staff, and risks out-of-sync experiences, such as leaving active the account of a departed partner employee. Since your organization—and not the partner—bears ultimate responsibility, the situation seems a prudent cost of business.

Some corporations will decide that the home-rolled or alternative solutions still fit their circumstances for federating access to Web servers, but current CA customers and large corporations looking at IAM solutions should do their diligence on the benefits of these recent revisions.