Abstract
The mid-market business has many of the same identity management requirements as the large enterprise, such as comprehensive identity consolidation across multiple resources, identity reconciliation, provisioning and lifecycle management. Solutions that embrace all these capabilities are often expensive, complex, and out of reach of mid-tier organizations—which also requires solutions for enforcing network access policy, on those who connect within the business as well as from outside. The integration of these values is even rarer, but with the introduction of its Identity Managed Access Gateway, Apere makes an innovative entry that delivers them all, in an appliance form factor specifically targeting the underserved mid-market. Enterprise Management Associates (EMA) believes that Apere’s offering may well have found a sweet spot that converges broadly functional identity management and network access control, in an offering that integrates both in a highly provocative way.
Background
If there was one lesson driven home by the outbreaks of worms and compound threats of the last several years, it was that the biggest liability exploited was not the individual vulnerabilities sequentially targeted in an attack. It was the lack of coordination of measures to assure that such risks were consistently mitigated. It was this single gap more than anything else that gave rise to the market of solutions that enforce a specific security or regulatory compliance posture on network endpoints, before access to IT and information resources is enabled.
These measures help keep unauthorized security risks off the network—but what about the risks posed by authorized network users? Identity management and authentication solutions represent the front line of tools that secure the business against risks of unauthorized access—but there are a number of challenges that identity management must itself address in order to be truly effective.
Many of these challenges revolve around the proliferation of multiple identity stores and the variety of resources that depend on them for access control. IT systems themselves maintain their own user identities—but those may be as many and as different as the number of IT systems in the business. Personnel systems may maintain an entirely different set of identity records, while contract administration may maintain completely separate contractor identities. Sales may handle Customer Resource Management (CRM) records while applications may maintain their own accounts for customers or third-party clients. Financial records face particular scrutiny under regulatory mandates such as the Sarbanes-Oxley Act (SOX). Regulation as a whole has had a significant impact on the requirements organizations face for managing access to information resources—which further raises the bar on requirements for linking identity with access control.
The identity management market has grown substantially in recent years in response to these challenges, but there are two significant obstacles that the business faces in linking identity management with access control.
One is in the cost and complexity of an identity management deployment. Single Sign-On (SSO) solutions exist to coordinate multiple access controls, but many may be considered essentially password management solutions, where a logon to an SSO account equates to a logon to all resources linked to the SSO system. This may pose challenges for the fine-graining of access control based on changing access requirements that may affect one, or a few such resources, but not all.
This brings up the second challenge: integrating the business processes on which user lifecycle management depends. From user provisioning to the monitoring of access privileges, privilege modification, and the retirement of accounts—including measures to assure accounts that should be retired are no longer active as “ghost” accounts, potentially accessible by users no longer authorized—the integration of business processes is one of identity management’s most substantial demands. Each business is unique, and its processes must be well understood by tools as well as solution implementers if identity provisioning and lifecycle management is to succeed. This often translates into expensive services engagements and product offerings accessible to the most well-resourced enterprises, but with limited affordability in the mid-market.
The recent trend in network access control has created new opportunities for greater identity awareness—but there may still be gaps. Identity management may keep an unauthorized user off the network in concert with network access control—but what about the authenticated user? Once on the network, identity management may keep a user from accessing a restricted resource—but it may not keep that user from contacting the resource. Many protections against external threats are predicated on keeping attackers isolated from sensitive resources. This is far more difficult on the internal, “trusted” network. Users may attempt to log into restricted resources, even when identity management is in place. When a gap in identity enforcement—such as an inadequately granular approach to SSO, or a failure to police ghost accounts—permits access to resources that should be restricted, it fails in its comprehensive effectiveness. The mid-market is particularly susceptible to such gaps, given its resource constraints. The network itself could be called upon to better enforce access controls—but the network is still not sufficiently leveraged as an access control tool in its own right, to keep unauthorized users away from restricted resources altogether.
Introducing Apere’s Identity Managed Access Gateway
This is the convergence of challenges that Apere has entered the market to address, with its new Identity Managed Access Gateway (IMAG) appliance. The mid-market is the target of IMAG’s capabilities, integrating with the network itself to become a focal resource linking comprehensive identity and access control in an innovative package. Apere’s strategy aims to deliver the identity management functionality needs of the mid-tier enterprise at a fraction of the cost of traditional identity management solutions. This is intended to allow this solution to fit within the budgets and signing authority of IT Directors, and as a bonus, deliver another layer of network security.
Simplified Identity Integration
Apere’s IMAG deploys in the network and discerns what identity resources reside throughout the business, and where they are located. Through this process, it is able to consolidate and reconcile identities across multiple resources, applying what Apere refers to as “identity cleansing”—the correlation of multiple identities that refer to a single individual, the identification of ghost accounts for more effective management, privilege inconsistencies, and other tasks that simplify the process of integrating and managing identities more effectively across a range of varied assets.
IMAG’s integration capabilities are enabled by native connectors to common identity and authentication resources such as Microsoft’s Active Directory as well as LDAP, Samba, RADIUS and common database formats. IMAG’s Connector Factory components, however, are what give the product high flexibility in expanding that range significantly. By monitoring identity interactions with IT assets, the IMAG Connector Factory is able to learn the sequence of interactions necessary to integrate with the identity and authentication capabilities of various access targets. This gives IMAG high extensibility for its identity capabilities, significantly lowering bars to integration and eliminating the need for modifications to IT resources. Connector Factories are available that are tailored for integration with leading healthcare, financial, and enterprise resource management assets.
With this broad integration capability packaged in a network appliance, IMAG is positioned to serve as an easily deployed identity management center, the one resource administrators access in order to manage identities across a spectrum of assets. Identity provisioning and lifecycle management is enabled directly by IMAG itself, which transparently manages interactions with integrated resources, applying “identity cleansing” to assure that identity management is comprehensive and current. Delegated workflows allow provisioning and user management to be distributed within an organization, while self-service portal capabilities are also available for user password reset and privilege modification requests.
Identity-Enhanced Access Management
The Apere Identity Managed Access Gateway can be placed outside the data path to consolidate identity management and perform its identity “cleansing” functions. As its name suggests, however, IMAG can also enforce more effective identity-aware access control, as gateway itself.
Based on its knowledge of access privileges across multiple resources, IMAG may, for example, be aware that a certain user has had their access privileges restricted or revoked for all resources—but one of those resources may not yet have itself fully revoked its own controls on the user’s access. In an unprotected network, this user would still be able to contact the restricted resource. They may also attempt to access the resource through the access privileges of someone else. In the worst case, they may attempt even more subversive means. IMAG recognizes this individual thanks to an identity reconciled across multiple resources, and can therefore deny access to all resources that should be restricted—whether those resources have restricted access to themselves or not. This limits the efforts the business must expend in deploying access policies for each individual asset.
IMAG can also incorporate its awareness of the network in enforcing access policy, combining knowledge of the endpoint’s IP and MAC addresses with a knowledge of the context within which access is permissible. A business may want to restrict access to sensitive resources from external networks, partners, home offices or remote/branch sites, regardless whether users are authorized or not. IMAG’s visibility into the network origin of access combined with comprehensive visibility into user access privileges helps restrict access based not only on user authorization, but also the network context within which access is sought. Once access to the internal network is gained, IMAG continues to centralize the enforcement of access control within the business, constraining which resources an individual user can contact, and under what policy.
IMAG can also extend the value of VLAN deployments by linking identity and access awareness—throughout the business—to an individual user’s VLAN access. Regardless where this user accesses the network, IMAG will recognize the VLAN restrictions and access privileges available to a user, effectively allowing their VLAN access to follow them throughout the organization.
Comprehensive Reporting
In its approach to IMAG’s reporting capabilities, Apere has recognized four of the primary values of reporting in today’s regulatory environment, where IT control reporting is essential to a demonstration of compliance. These four values are: reporting adapted to regulatory requirements, identity access reports for administrators, formats exportable to other solutions, and a dashboard approach that enables ready identification of key identity and access issues.
Apere’s approach to dashboard-type reporting and alerting centers on its “one-button compliance dashboard” that enables administrators to select a view that depicts the current identity and access management posture reflecting compliance with mandates such as SOX, the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). Its administrative reporting capability provides administrators with a centralized view into identity and access management centralized across a number of resources. Report and event export is facilitated through syslog functionality, a format that continues to be popular for consolidated event visibility and analysis.
Key Ramifications
Apere’s Identity Managed Access Gateway makes a breadth of capability available to the mid-market that had heretofore largely been restricted to solutions for large, complex enterprises. By packaging as an appliance, Apere makes its functionality range much more accessible to this market, consolidating many of the most desirable aspects of identity management and related business processes.
At the same time, Apere combines this capability with enhancements to the control of access to IT and information resources in the network itself, extending the capabilities of the network for controlling access, and making a more direct integration of identity technologies with these capabilities than many other approaches currently available. This aspect of the product may well attract the interest of the enterprise, even if it has access to more complex approaches to identity management. The ability to engage the network to enforce access policy, with a wide scope of intelligence into enterprise-class identity management, identifies a sweet spot that brings both domains together in a highly provocative way.
Together, these capabilities are likely to be well received by a market in greatest need both of better controls on resource access, and better identity management at a more affordable price and accessible form factor. This market is a prime target today, for identity management vendors particularly. Large, complex organizations such as hospitals and health care facilities, for example, often face complex identity management challenges in a stringent regulatory climate—but available resources are typically prioritized for primary investments such as diagnostic tools and medical technologies. The introduction of products such as Apere’s Identity Managed Access Gateway extends integrated enterprise-class functionality to such businesses in a way that makes the most of the IT budget.
Many organizations are reluctant to embrace too-strict enforcement with today’s new approaches to network access management. The reasons are many, not the least of which being that enforcement implies functionality that crosses boundaries between network operations and security domains. Apere seems to have taken a good approach to engineering in anticipation of these concerns, optimizing performance and enabling distributed deployment which should help to aid this penetration. Its roadmap embraces the potential to port today’s network-optimized kernel functions to a network processor for flexibility in future product development, which speaks to its awareness of “future-proofing” concerns.
The integration of network access management and security also crosses political boundaries which can be an impasse to adoption. In the mid-market, however, these distinctions are not always as severe as they are in other organizations, and in fact in many mid-market businesses, network and security operations may be one and the same. Apere’s mid-market strategy may therefore serve to further the market’s experience with solutions that blend networking with security, and help to move such integrations further forward.
EMA’s Perspective
In recent months, EMA has seen identity leaders recognize the mid-market opportunity. Many have responded with solutions that make enterprise-class identity management capabilities such as comprehensive provisioning more accessible. At the same time, the network access control market has begun to embrace identity in new ways, largely to extend the flexibility of authentication techniques available to network endpoint policy compliance enforcement. Vendors have begun to extend this broadening of authentication capabilities with the introduction of products that increase the scope of identity in the monitoring and management of network access, with more or less enforcement capability.
Apere’s combination of capabilities is an innovative—and integrative—entry with disruptive potential across all these domains, combining many of the values that customers want to see brought together. The ability to package many key aspects of identity in an easily deployed appliance form factor is novel enough, but the ability to bring this capability to bear on increasing the granularity of access management in the network effectively brings together the two very active markets of identity management and network access control. In grasping this opportunity, Apere may well find itself courted not only by leaders in both for the capabilities it integrates across these domains, but by customers who are looking for a consolidated solution that addresses significant challenges common to each. Apere may therefore have found a sweet spot that marks a particularly attractive point of convergence in these two very active markets, and should therefore be watched for the interest it engenders.
