Sun Redefines ID Lifecycle Management

• By John K. Waters
• September 11, 2006

Is there a process in IT today that doesn't have its own ''lifecycle?'' We have application development lifecycles, product lifecycles, SOA lifecycles, information lifecycles, and service lifecycles. I just spotted a press release in my email inbox from a provider of a VoIP lifecycle management solution. And there's a message haunting my voice mail from someone who wants to talk with me about ''automating the spreadsheet compliance lifecycle.''

Is ''lifecycle'' going the way of ''platform,'' devolving into a kind of verbal duct tape? Not yet, but it's getting there.

I mention this because I needed to get the grump out before telling you about a big announcement Sun Microsystems is set to make today at the Digital ID World conference, which is just getting underway this week in Santa Clara, CA. (It runs Oct 11-13). The news, as I'm sure you've already guessed, is about the latest release of the Palo Alto, CA-based company's identity lifecycle management solution.

I'm pleased to say that during their a tag-team product briefing, Sun product managers Andy Land and Chris LaPoint rocketed past the jargon du jour before my eyes could glaze over.

''Some people call it ID lifecycle management,'' Land explained, ''some call it employee lifecycle management. It's all about the provisioning process.''

ID management as a product category falls under provisioning, which is not so much about passwords and retinal scanning as it is about simply deciding who gets access to which resources within an organization. Most companies provision through homegrown systems or disparate manual processes--you fill out a form, turn it in at the right desk, and somebody gives you a laptop and a password that gets you into this or that database. The Sun Java System Identity Manager automates that process, from initial provisioning, through changing roles, all the way to termination.

With release 7.0 Sun takes ID management to a new level by adding an automated process that monitors and enforces the business controls you thought you put in place during the provisioning process. Sun calls this capability ''identity auditing.'' If ID lifecycle management answers the question, ''What access should a user have?'' ID auditing answers the question, ''What level of access does a user have?''

''With this release we're redefining the provisioning market,'' Land told me. ''We've seen the convergence of these two distinct processes, and so have our customers. Basically, we had to do something innovative to bring them together and drive the market in this direction because our customers told us to.''

That's a bold statement, but it's not mere marketing swagger. Sun has been a leader in ID management at least since the product category took off about two years ago. Both Gartner and Forrester put Sun at the head of the pack in this market, so it's not surprising to see the company move early to provide this new auditing component. While enterprise interest in ID management has been fueled by a range of factors, demand for identity auditing will likely be driven by compliance requirements, LaPoint said.

''If you had perfect provisioning up front, there would be no business need for auditing capabilities,'' he said. ''You'd never have a violation of your defined business policies, so you'd never need to interrogate your systems to check for them. Of course, provisioning concerns always come up after you have a thousand different systems in place and a thousand different ways of doing things. But even if you provision perfectly, government regulations now say you have to prove it.''

New auditing features in Sun Java System Identity Manager 7.0 provide users with the ability to audit for violations across multiple applications and automatically remediate; to detect and fix pre-existing violations; to maintain baseline roles and audit practices; to implement a ''certification review/manager attestation'' cycle to show due diligence; and to extend controls to extranet-facing projects, which might include remote workers, partners, and customers who require high transactional throughput.

Sun is announcing the product today; it's scheduled for general availability in October.

My earlier grumping notwithstanding, it's fair to say that any process that ends with ''termination'' has earned its lifecycle label.