IBM buys into single sign-on, ID management

Big blue acquires Encentuate, known for its HIPAA work


IBM's deal for startup Encentuate should deliver two big additions to its single sign-on and authentication products, an area where IBM already is the market leader. One is customers in the sought-after health care industry; the other is greater flexibility, so employees aren't locked into using one type of token or smart card for strong authentication.

The acquisition, for an undisclosed sum, follows a string of deals by big vendors for identity management and access control startups.

Six-year-old Encentuate has 80 customers, with around half its business from health care groups dealing with U.S. HIPAA rules for information security. "Even though, in some cases, they're small hospitals, they require a certain compliance richness," says Zorawar Biri Singh, president and CEO of Encentuate. "An ability to meet their requirements is readily exportable to other markets."

Encentuate will be integrated with the elements of IBM's Tivoli Access Manager suite, including Identity Manager, Federated Identity Manager, Compliance Insight Manager, and Security Operations Manager. Tivoli resells single sign-on software from Passlogix, and it will offer an upgrade program to Encentuate, which has the potential to irk some current users.

Encentuate lets employees in different parts of a company be authenticated with tools they already have, such as smart cards, biometrics, tokens, and RFID badges, says Joe Anthony, program director for security and compliance management at Tivoli. That, combined with single sign-on to all the applications and data they're authorized for, is a big convenience. In the past, single sign-on "meant that everybody had to have the same second factor, like a token or a smart card," he says. "It's just another thing to keep track of."

IBM also will adopt Encentuate's development facilities in Singapore as a software security lab, its 59th lab. Encentuate has two-thirds of its 40 employees at the site, all devoted to R&D.

Encentuate's authentication products go beyond setting user ID and password requirements. Its Identity and Access Management and its Strong Authentication products also track user activity and can provide a context for what an employee was doing as he accessed certain data or files. That audit trail can be critical to meeting regulations. "Compliance is driving a lot of our customers' decisions," Anthony says.

SINGLE POINT OF FAILURE?

Single sign-on, though, can be a point of tension. Companies get queasy about letting employees access a wide range of applications and data via a single password. Single sign-on "isn't necessarily good for security, because it consolidates to a single failure point," says Rich Mogull, founder of security consultancy Securosis.

However, many of these same companies want to reduce the number of passwords and access methods they use, both to reduce technology costs and to simplify administration. "We've seen a lot of traction there, especially when linked with broader identity management, which Tivoli tries to do," Mogull says.

IBM is expanding its access control and identity management suite at a time when Hewlett-Packard is pulling back. HP will "focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share," says Eric Vishria, VP of HP software. HP will continue to support its Identity Center products and supply consulting services.

Still, the market is fiercely competitive, with Sun Microsystems competing effectively with its Identity Manager, Access Manager, and Role Manager. Microsoft just this month acquired Credentica's U-prove identity and access management software. And open source code continues to invade the market segment. At the end of February, the Eclipse Foundation released Higgins 1.0, a free identity management framework for managing users across multiple sites and applications.

---

Startups Snatched Up

MICROSOFT - Credentica, March 2008

PING IDENTITY - Sxip Access, March 2008

SUN - Vaau, Nov. 2007

This content continues onto the next page...