SecurityNewsletter.com : Would you say that the IAM market is now done with its consolidation ?

Pierre G. Noel : It's stagnating, for sure. Most changes now are only addition to existing solutions. So in a way, it's still a technological approach, even though IAM's goal is above all to set up controls. Now, the market goes toward roles management. This makes sense, and we see that many IAM projects that got stuck somewhen during deployment where lacking in that area. But technology plays a very small part in role management. What's important there is to understand the business requirements of each customer. If you can't understand a company's structures, you will not understand roles and in turn will be unable to manage them properly. 

Some believe role mining is a solution here, while others state that it's close to useless. We are in between those two extremes, and we insist on service, before and after the role management part.

SecurityNewsletter.com : From a technological point of view, though, would you say that IAM is mature now ?

Pierre G. Noel :  Yes, we are at a plateau now. When we look at the technologies and listen to the customers, we are confident the market is able to answer their needs. At IBM we were lacking multiple factors authentication, but we now have that, thanks to our Encentuate acquisition.

SecurityNewsletter.com : Speaking of which, you bought Encentuate last march as a SSO (single sign on) vendor. But you already had such a solution with Passlogix, through an OEM deal...

Pierre G. Noel :  For the last eighteen months we told our customers that we want to be able to address their security needs globally, be it through technology, services, products or manpower. This strategy was already visible in 2006 when we acquired ISS. With Acentuate, our IAM portfolio is now made of products we own. It's our strategy to fully control our portfolio to deliver from A to Z.

SecurityNewsletter.com : Solutions... most of them offer the same set of functionalities. How can they be different ?

Pierre G. Noel :  I believe you need to go beyond the products themselves and even beyond just comparing suites. Companies must rather ask themselves if their provider can help them with all their growing security needs, from A to Z. IAM is no different than the rest of security. And that's what our acquisition strategy focuses on : being able to cover all our customer needs, with a wide-angle view on security.

SecurityNewsletter.com : In january of 2005, IBM acquired SRD, specialized in identity reconcilation. How will this acquisition fit in IBM's portfolio ? Will this be integrated with Tivoli Identity Manager, and if so, when ?

Pierre G. Noel :  We can't give any ETA yet. This acquisition has much more potential in security than just IAM. It may be used, for example, to map links between identitie, to help know who knows who, what's really in an identity, etc...

SecurityNewsletter.com : What is your opinion about standards and initiatives that form the foundations of Identity Federation, like WS-Security, Liberty Alliance, etc... ?

Pierre G. Noel :  IBM supports open protocols. But the truth is, when a company wants extend IAM to its partners or its suppliers, it does not need much technology. It's above all a legal matter, with contracts. So this is more a market-to-be than anything else. At the technical level, there is no difficulty.

SecurityNewsletter.com : Do you believe Open Source has a part to play in IAM ?

Pierre G. Noel :  Is this technically possible ? Yes. Is this advisable ? That's a matter of risk management. A more conservative company will rather chose a solution backed by a vendor. But if so it wants, a company will find Open Source solutions in authentication, SSO and Identity Federation. And soon enough in provisonning and role mining I guess.

SecurityNewsletter.com : From a higher point of view, where is the security market standing now ?

Pierre G. Noel :  Security as a whole is maturing. First phase was to protect against the external threat. The second phase is to protect against the inside threat, and IAM can deal with that. The evolution now goes toward managing risk, and this goes through good reporting, showing the right information to the right people in a less technical way, and aligned with regulations.