The Latest Wave of IdM Acquisitions

It’s been a while since I blogged. Not that there aren’t a wealth of topics to talk about, but because work here at Oracle has been keeping me so busy. The time right around a major product release (see my recent post about the release of OIM 9.1) is always busiest for me, because I get so heavily involved in the early planning stages of the next major release. And the next one is going to be a big one. More on that in a later post.

But I couldn’t keep myself from commenting on the most recent wave of acquisitions in the identity space. Both have some interesting consequences for the identity management market.

IBM acquires Encentuate
First up is the acquisition of Encentuate, a provider of enterprise single sign-on (E-SSO) and strong authentication technology, by IBM (see the press release here). The big effect of this acquisition will be on customers who bought IBM’s current offering in the eSSO space – IBM ITAM ESSO (that mouthful stands for IBM Tivoli Access Manager for Enterprise Single Sign-On). That product was based on an OEM of Passlogix’s v-GO product suite. Obviously IBM cannot have two products in their stable doing the same thing, so the logical assumption is that over the next release or two, ITAM ESSO will shift from being based on the Passlogix technology to the Encentuate technology.

You can read the views of some folks on the acquisition here, here and here. I found Ian Yip’s reaction most interesting, especially since he used to work at IBM. He pulled no punches in telling customers of ITAM ESSO what to expect, saying that in the future they will be forced into an upgrade that isn’t really an upgrade:

“What marketing won’t say is that the “upgrade” from 6.0 (based on Passlogix) to 7.0 (based on Encentuate) is essentialy a rip and replace. There is no seamless upgrade. Sure, they’ll probably offer some tools to “help”, but the upgrade process will need professional services either from IBM Software Services or IBM Business Consulting Services because the single sign on templates will be completely different between the Passlogix and Encentuate products.”

Ian thinks that IBM ITAM ESSO customers are the losers in the deal (along with Passlogix, who suddenly lost a revenue stream). However, it doesn’t really have to be that way. Passlogix is also the OEM component in Oracle’s E-SSO offering,
Oracle Enterprise Single Sign-On Suite (something that Ian believes raised IBM’s ire). So there is another option available to ITAM ESSO customers – instead of doing a rip and replace of ITAM ESSO with the next version of ITAM ESSO, do an upgrade of ITAM ESSO to Oracle eSSO Suite. Being based on the same product, the shift is sure to be so much smoother. And you get the added benefit of direct integration with Oracle Identity Manager, through the Oracle eSSO-Provisioning Gateway that Oracle ships.

Of course this sounds self-serving, and a bit simplistic, but it is also quite logical, and likely to be an approach that could save many an enterprise many a headache.

And IBM’s move certainly serves as validation of the maturity and viability of E-SSO as a technology.

Microsoft acquires Credentica
Next is the acquisition of Credentica by Microsoft. Credentica’s U-Prove technology attempts to tighten up the security of identity transactions by decoupling the parties involved in a manner that prevents transmission and use of extraneous data, without sacrificing authenticity of everything involved in the transaction. It uses PKI technology to secure the authentication and identity data flow between an Identity Provider (Issuer) and a Service Provider (Verifier) in a user-centric manner. The big claim of the technology is the ability to enforce minimal disclosure of identity data (also referred to as “zero-knowledge” proofs for privacy).

In layman’s terms, the U-Prove technology claims to provide people a way to disclose personal information in a manner that does not threaten their privacy, or expose them to identity theft. It also limits the disclosure of information to unintended parties, preventing accounts from being linked across different service providers. Kim Cameron does an excellent job of explaining (and making a case for) all this on his blog.

Everyone is talking about the ability of U-Prove to immediately provide a security layer to Microsoft CardSpace that it previously lacked. The way that managed cards work, the IdP can accumulate knowledge about the user by analysing the card requests it is fulfilling on behalf of the user. Minimal disclosure tokens make it possible to obfuscate the SP interaction, making it impossible for the IdP to understand how the issued cards are being used, thereby rendering it unable to aggregate any information.

To understand more, read this article in eWeek’s Microsoft Watch.