IBM buys into single sign-on, ID management

IBM's deal for startup Encentuate should deliver two big additions to its single sign-on and authentication products, an area where IBM already is the market leader. One is customers in the sought-after health care industry; the other is greater flexibility, so employees aren't locked into using one type of token or smart card for strong authentication.

The acquisition, for an undisclosed sum, follows a string of deals by big vendors for identity management and access control startups.

Six-year-old Encentuate has 80 customers, with around half its business from health care groups dealing with U.S. HIPAA rules for information security. "Even though, in some cases, they're small hospitals, they require a certain compliance richness," says Zorawar Biri Singh, president and CEO of Encentuate. "An ability to meet their requirements is readily exportable to other markets."

Encentuate will be integrated with the elements of IBM's Tivoli Access Manager suite, including Identity Manager, Federated Identity Manager, Compliance Insight Manager, and Security Operations Manager. Tivoli resells single sign-on software from Passlogix, and it will offer an upgrade program to Encentuate, which has the potential to irk some current users.

Encentuate lets employees in different parts of a company be authenticated with tools they already have, such as smart cards, biometrics, tokens, and RFID badges, says Joe Anthony, program director for security and compliance management at Tivoli. That, combined with single sign-on to all the applications and data they're authorized for, is a big convenience. In the past, single sign-on "meant that everybody had to have the same second factor, like a token or a smart card," he says. "It's just another thing to keep track of."

IBM also will adopt Encentuate's development facilities in Singapore as a software security lab, its 59th lab. Encentuate has two-thirds of its 40 employees at the site, all devoted to R&D.

Encentuate's authentication products go beyond setting user ID and password requirements. Its Identity and Access Management and its Strong Authentication products also track user activity and can provide a context for what an employee was doing as he accessed certain data or files. That audit trail can be critical to meeting regulations. "Compliance is driving a lot of our customers' decisions," Anthony says.