COMMENTARY--Everybody may be talking about public key infrastructure (PKI), but only a few companies and providers have implemented it. In the meantime, other access security technologies have gained ground and access management has proven to be one of the most successful.
Access management performs different functions. For starters, it enables systems administrators to create, delete and edit user accounts. It allows them to assign rights to groups and individuals to view, copy and store information and to assign rights to users to perform processes and transactions. Also, it automatically reconfigures the system when employees leave, thus helping to avoid keeping user accounts of ex-employees open and vulnerable to exploitation.
Briefly put, access management can provide a cheaper alternative to PKI for creating groups of trusted individuals or organizations. In a trading exchange, for example, user rights are granted to trading partners for looking up prices and availability of products and services.
Access management's popularity continues to rise alongside the demise of PKI-enabled applications. PKI in general is different from access management because it deals with the identification of the users, whereas access management deals with what users are allowed to do with applications. PKI-enabled applications are a shortcut to resolve the issue of trusting where the application is coming from. All three types of technologies--PKI, access management, PKI-enabled applications--are complementary and can be used in combination or on their own to provide higher levels of trust for users accessing data and applications.
Why access management?
Compared to more sophisticated and expensive security implementation, access control and management--that is, the software and processes to grant users access rights to systems and applications (for example, an Intranet or extranet)--is enjoying great popularity. Many enterprises have given it priority over other IT security projects.
Access management is a type of technology within the access security category, which comprises: firewalls, PKI and access control and management.
After initial enthusiasm about PKI-enabled applications--that is, applications that have embedded security based on PKI technology (the typical example is secure e-mail)--security vendors are moving back to more traditional technology for access management. Entegrity, for example, is a vendor that had managed to market PKI-enabled applications successfully, but then realized that building security into applications is not as effective as securing the applications server. Entegrity will still push its PKI toolkit, but market demand remains low.
PKI-enabled applications: yesterday's stars, today's flop?
When first launched, PKI-enabled applications were hyped as being one of the best things that could happen to the e-security industry. However, they have not gained the mindshare that vendors hoped. Applications such as secure e-mail still have hopes for future success, provided that they can be controlled from a central management console, as today applications must be re-coded manually. Until a solution is available to solve this issue, there are a few chances for these applications to be deployed on a large scale.
However, the wave two ASP model could solve this problem due to its one-to-many distribution model. A second-wave ASP delivers an application as a centrally managed service only and has been designed from the ground-up for this form of delivery.
Some vendors managed to pick up early warning signs; for example, Tivoli, RSA Security and Entegrity have changed their strategy to accommodate the access management market, and have reorganized their resources in order to invest more in this type of technology in terms of sales support. Few eyebrows were raised when vendors announced new products for access management because, to be fair, access management is 'old hat'. Nevertheless, organizations have real problems granting the right level of access to users. They need to deploy a system in a short time frame and the system must be easy to control from a central point.
Most vendors of PKI-enabled applications have already diversified their offering, but one requirement is to improve the existing functionality of their applications to ensure they can be updated automatically, not manually. PKI will not disappear because it has few rivals in the intra-enterprise arena, but there is a market need for access management applications that are easier to use and flexible pricing models.
Access management vendors should expand their support of complementary products such as firewalls either through their own R&D or through partnerships.
So-called wave two ASPs have a real opportunity to reinforce security within their applications and therefore have an additional element of differentiation in their offerings, by partnering with access management specialists and embedding access management within their application servers.
Maintenance of the access management component will be quick and easy due to the true one-to-many distribution of the wave two model, thereby eliminating the usual problem of upgrading.
Paola Bassanese is an e-services analyst with Ovum.