The access piece of identity and access management is now center stage.

Provisioning users is one thing, but re-provisioning or de-provisioning their access to computing resources, applications, and specific data, is another, and identity and access management technology is evolving to make certifying and regularly evaluating user access easier. The more specifically you match a user’s access to his actual role in the organization -- and keep it updated with job transfers or changes -- the better.

“If a company can manage access controls down to the role-level for employees -- and further, with fine-grained entitlements -- it will significantly reduce the insider threat problem,” says Sally Hudson, research director of identity and access management products for IDC.

Access certification was in the identity and access management spotlight today, as heavy hitters Novell, Oracle, and Sun Microsystems each announced new products for simplifying the deployment and ongoing maintenance of the identity and access management infrastructure.

Regulatory compliance, of course, has been the impetus behind this technology, but with high-profile insider incidents such as that of Societe Generale, worries about internal breaches have also put pressure on vendors to come up with better tools for access certification. “With Societe Generale, if they had regularly scheduled reviews, they could have removed the access he [the rogue trader] no longer needed. He just aggregated a bunch of access and did what he did across different systems,” says Nick Crown, product line manager for Sun’s identity and access management offerings.

Many security breaches are due to users, contractors, or former employees that are either over-provisioned for access, or that were never appropriately de-provisioned, IDC’s Hudson says. “With distributed systems boundaries becoming more nebulous every day, the issues of who is accessing what, when, and why become very important."

Even so, until now access certification tools haven’t been easy to use nor made tracking user privileges easy. Many organizations still rely on spreadsheets to track this.

“Access certification is mature conceptually, but it’s never been in a wrapper that made it consumable and usable by” non-technical users in the organization, says Ian Glazer, senior analyst with The Burton Group. Glazer says Novell and Sun's announcements today are encouraging. “This gives the customer a way to meet regulatory requirements while giving some nice security benefits,” he says. “This is a more organic and natural way to build out bigger identity management projects in the enterprise.”

Worldwide revenues for identity and access management license and maintenance were $3.1 billion last year, and will grow to $5 billion by 2012, according to IDC. (And that’s not including ID and access management services.)

Sun’s new Identity Compliance Manager automates the process of certifying and auditing users’ access to applications and data. It comes with revocation and remediation tracking, as well as a user interface and presentation that make this information more palatable to non-technical users as well, according to industry analysts. “Sun had a product for this that was inside its Identity Manager product, but it was not really widely deployed,” says Burton Group’s Glazer. “What they’re doing now is taking a better user experience with more context of access information -- who you are, how you relate to the organization, what you do, and what does this group mean. This makes the product more useful.”

Sun Identity Manager is the result of Sun’s previous acquisition of BindView. “This [product] is a nice onramp to bigger [identity and access management] projects,” Glazer says. “You see other vendors doing that.”

Novell rolled out its new Access Governance Suite, which is made up of Novell Roles Lifecycle Manager and Novell Compliance Certification Manager and came out of an OEM agreement with ID and access management vendor Aveska. Nick Nikols, vice president of product management for identity and security at Novell, says the new product correlates roles with the business. “With Novell’s Sentinel, this gives you real-time event correlation that can inspect how roles are being used and to determine whether or not a particular set of entitlements has been used in a certain period of time,” Nikols says. If a user has access to an application he shouldn’t, the software would lock that down, he says.

Oracle, meanwhile, released Adaptive Access Manager 10g Release 3 today, which profiles behavior to detect fraud and online attacks in real-time. “You can automatically build in a user profile what is normal behavior,” says Amit Jasuja, vice president of development for Oracle's identity management and security products. (Joe in accounting typically visits this site, and spends about 20 minutes there, for instance.)

“This defines fraud – what is okay behavior and what is not,” he says, such as a user who’s no longer with the company suddenly running Web meetings. Adaptive Access Manager comes as a stand-alone product, or as part of the Oracle Access Management Suite, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.