Netegrity marks new era of access control
CEO Barry Bycoff and CTO Deepak Taneja discuss enterprise portals and the impact of Web services
LEVERAGING ITS TRADITIONAL expertise in security and authentication, Netegrity has quickly gained a leadership position in the emerging identity management space. Test Center Director Steve Gillmor and InfoWorld editors sat down with Netegrity CEO Barry Bycoff and CTO Deepak Taneja to discuss Netegrity’s integrated approach, enterprise portals, and the impact of Web services.
InfoWorld: Can you give me an update on Netegrity and what’s going on with the company?
InfoWorld: So why do you think the identity management stuff and the authentication stuff and the portal stuff needs to be integrated? Because other folks would argue — whether it’s Plumtree or Epicentric — that you’re better off having them as separate layers?
Bycoff: Simply this. You cannot provide the security — both in the portlet or within the application itself on the back end — necessary to really get fine-grained transactions occurring at the portal itself. Secondly, all you’re doing is replicating the administrative tasks required for access, for roles, for workflow.
The second argument is really a technical argument, and that says, look, the coupling between these layers is in fact so strong, their relationships are so strong, the number of touch points is so many, that thinking of them as separate layers is just a bad idea. And I think people accept the fact that there are a lot of these touch points between access control and identity management. I think there’s a lot more resistance when we talk about the touch points between access control, identity management, and the portal; people are less willing to believe that the portal should be part of this mix. And so that’s when we have to give them examples of the touch points. The typical portal today will have its own user management store, it will have its own user repository. Can you leverage an LDAP’s repository directly over SSL from a portal? The answer is no. There is only one portal in the world that can do that, and that is the portal that Netegrity builds, integrated with our SiteMinder product. All the other portals in the world will say, well, you [can] access your LDAP directly from SSL if you like, but then we’ll synchronize with that LDAP directly using our own synchronization tool.” [The problem with that is] the synchronization tools are not secure and don’t operate over SSL, and synchronization adds yet another layer of administration, yet another failure point — not to mention that there’s a time difference [between] when a user’s profile changes in the directory and when it changes in the meta-store that the portal uses.
InfoWorld: A lot of people seem to connect identity management and authentication, and certainly Netegrity seems to have its brand image associated with that space more than portals. But is it really a security question or is it more an access to applications issue that seems to be driving the space?
Bycoff: I think it is access to applications, and secure access to applications. So I don’t think you can look at one or the other and say, it’s this issue. When our customers see our capabilities relative to application integration and portlet wiring and securing the access to this, they get very excited. We view the portal as kind of the gateway to the enterprise. Much the same way as you view access control and identity. The portal is driven off of identity-based services.
InfoWorld: How would you compare and contrast yourselves to all the other players in this space, whether it’s Oblix or Open Network or CA or Tivoli or Sun?
Bycoff: We were the first mover. The rest have kind of followed. And if you believe the Meta Group, we own about 75 percent of the market. We dominate the major companies. We have deployments that extend well beyond 3 to 4 million users. No one else can show that.
When you look at just the access control [space], that’s how we would separate ourselves from the Oblixes of the world, the CAs of the world. But as we move forward, we’re talking about a deeply integrated set of products with this common, single point of administration and a very tightly integrated platform for providing a single view of the enterprise, or a gateway to the enterprise. I think this concept is another first mover advantage for Netegrity.
InfoWorld: What’s your take on Microsoft? Because they’re out now talking about the wonders of integrating the portal with the Office suite and throwing CRM in on top of that and whatever else they can find.
Taneja: Microsoft is late to the portal party, but they understand the implications of the portal. They understand that the portal could become, and is likely to become, the desktop or Webtop of the future. And I think they are now looking at, as they always do, leveraging their key strength in areas such as basic business applications, like Office and e-mail systems and so on, into a stronger portal story. I think we can expect them to tightly integrate their content management, their mail systems, their Office applications, and so on, with a portal. And even though that portal, in and of itself, might not be very good — and isn’t very good right now, certainly — they will use the fact that it’s integrated with systems that have dominant market share to try and gain world market share.
InfoWorld: You’ve got an integrated suite of products coming out in the fourth quarter. What’s next?
Taneja: We’re trying to do two things. First, we’re going to move towards the next level of integration. We’ve integrated quite a bit in this [upcoming] release, but we can go even further. We want this to be so compelling that the CIOs of Fortune 500 companies don’t even look at other vendors’ products. And to do that the administration models have to be fully integrated and completely common. So we’re going to shoot for that next level of deeper integration going forward. No. 2 is on the identity management side. We need to complete our vision with an end-to-end identity management solution that includes the provisioning of user access rights through enterprise applications. And that is something we do not have in the version of the platform that’s shipping in October. This platform will be able to provision users to LDAP directories, which are typically used for controlling access to Web applications. We want to be the single point of administration for identities for the entire enterprise, and to do that we need a provisioning engine as part of our platform. We need adapters for SAP, PeopleSoft, Siebel, Microsoft, Exchange, Lotus Notes — the top 15 [or] top 20 applications and environments out there in enterprises. So that’s a key focus for us going forward.
And third, we have a big effort on the Web services front, so we’re going to take our Web services story forward, from an administration standpoint, to make it really easy for people to provision, secure, and manage Web services from our platform. We’re going to take that a couple steps further beyond October. We’re going to provide UDDI integration; there’ll be a UDDI registry that will be part of our platform. We’re going to make the process of exposing Web services even simpler than it is with this [upcoming] release. We’re going to provide better Web services choreography, so while we have a workflow engine in this release, we’re not really choreographing Web services the way the Fidelitys and E-Trades of the world want us to. We’re getting a lot of feedback right now from the beta sites that are using our portal and our TransactionMinder Web services security product. And that’ll help us further fine-tune the Web services story. So those are the three key areas for us with the 6.0 platform, which we’re trying to have shipping around the middle of next year.
InfoWorld: What’s your take on Web services and on who’s driving the standards process?
Bycoff: We’re very active in the Web services space from a product point of view. We’ve made some announcements at Catalyst that when you combine our portal product with the new security product we have coming out in the fourth quarter [TransactionMinder], you can discover, you can secure, you can transform, and you can manage Web services through the combination of our products. We’re feeling very, very good [about] having taken our solution into the Web services space, being ahead of the competition [there]. What we’re avoiding is the creation of Web services. The major players — Microsoft, Sun, IBM — they’ll obviously be the major players in the creation of Web services themselves. But in the other areas of management, we feel distinctly advantaged in providing the infrastructure for management via Web services, both intra-enterprise and cross-enterprise.
Taneja: [The standards process] is all over the place and it is frustrating. It’s just as hard for us as vendors to deal with all of that as it is for you to track what’s going on. To some extent, in the Web services space, the standardization activity as been hijacked by Microsoft, IBM, and Sun. Microsoft and IBM probably more than Sun. Sun’s late to the party. And it’s very political, even more so than it is in the J2EE world. In the Java world, to some extent, Sun is controlling the show, so there’s at least only one place to go to to see what the hell’s going on. That’s not true with Web services. And I don’t know what to tell you other than I think a lot of these standards won’t go anywhere. A lot of these organizations and alliances won’t produce anything that’s useful.
InfoWorld: On the one hand we seem to have a spec from the Liberty Group, then we have Microsoft, and then we have the XNS group. Can you sort out for us all the federation approaches out there?
Bycoff: You mentioned Web services and Liberty. We’ve been asked to become a founding member of WS1. We are very active [as a] sponsor of the Liberty Alliance. So we are all about standards. This is the company that built the predecessor to SAML [Security Assertion Markup Language], prior to turning it over to OASIS. So we’re promoting standards. That’s our way of winning. Keeping our architecture open is another major focus for us, because we realize that there are competitive products out there and we need to support open standards like JSR168 [for] portal interoperability and some of the provisioning standards that are coming. So we’re very active [in support of] standards and our architecture is very open, because of the environments we support.
Taneja: As this concept of an enterprise portal starts to take over, as companies start to think about working with their business partners, suppliers, customers, and so on through a single set of infrastructure components, they have started to realize that they in fact cannot expect to deal with a single security system or a single identity management system. So even though they might standardize on a single access control solution or a single identity management system, they’re going to have to work with their partners and suppliers, who in fact will have different security engines, different identity engines. And that raises the kinds of scenarios where people are getting authenticated by one company in one spot and then are trying to do something or trying to access an application that’s owned by a second company. That is the typical scenario that a lot of these standards bodies and pseudo standards bodies or alliances are trying to deal with. And it all has to do with [the question], how do you make multiple security engines, [full] identity engines in a distributed world, work with each other? As a user moves around, that user gets a seamless experience, and everyplace that user [goes] knows who this person is and what privileges this person has, what entitlements this person has, what affiliations this person has. When you think about how you solve that problem, the obvious answer is [you need to] come up with some standards that dictate how this information is going to be shared, regardless of where the information comes from or who asserts it, or which security engine actually creates the token that captures the information. If you can come up with standards for describing that information and sharing that information, that is good for the industry.
So all of these efforts are trying to deal with the same set of scenarios. They’re just dealing with them at different levels. SAML [was] sort of the first XML-based standard for trying to deal with this set of scenarios, [and it] dealt with them at a fairly low level, at the request/response level. Netegrity was one of the big supporters of SAML. And we helped define a set of XML schemas for describing a user’s entitlements, and a request response model for how one entity could ask another entity about the user’s entitlements and the second entity could respond to the first one.
Now the Liberty Alliance is going one step further and it’s talking about, in fact, the next layer up from that simple request response model. What is the protocol that is going to be used by two entities to go beyond simply pulling a SAML assertion or sorting out the SAML assertion? And whether the work the Liberty Alliance tries to do will turn into a set of widely adopted standards sort of remains to be seen. But that’s where the industry is headed. It’s dealing with this notion of multiple security engines, multiple identity engines, operating in a distributed world, and [it’s] trying to standardize how these security engines will talk to each other.
InfoWorld: It sounds to me like we’re going to have different SAML security engines. And at some point, won’t we need to define this layer that will coordinate the activities across those different engines?
Taneja: Well, I think the Liberty Alliance certainly is using SAML, so they’re not trying to reinvent the wheel at that lowest level. They’re trying to go one step beyond where the SAML committee went. So I don’t think we’ll have competing standards as far as that basic request response model and the definition of the assertion itself [are concerned]. What we may have is another layer of standards that show up a level above the simple SAML approach. And it’s not clear yet whether standards above and beyond SAML will in fact be accepted widely. SAML certainly at this point has wide acceptance. Microsoft has agreed to support SAML as part of the WS-Security initiative, so a SAML assertion showing up inside a SOAP envelope is something that Microsoft will be able to parse, and in fact is willing to generate as well. The Liberty Alliance, as I said, is using SAML, so we feel pretty confident that SAML will be an important standard. The application server vendors, both BEA and IBM, are committed to supporting SAML. At the recent Burton Group conference, all of the security vendors pretty much came out in support of SAML. There was a great interoperability demonstration. So SAML, I think, is going to be accepted. What happens beyond SAML remains to be seen.
InfoWorld: Where is Microsoft supporting SAML?
Taneja: They came out in support of SAML. They’re not supporting all of the SAML profiles, but they are supporting the basic profile, which is great.
InfoWorld: SAP’s got a portal, and IBM, BEA, and the other app server vendors have a portal, and everybody who ever sells anything these days has a portal. And then there are the dedicated portal vendors. Do you perceive a shakeout coming in this space?
Bycoff: I think it all turns into application infrastructure, a server-based application infrastructure. That space that will be defined, we are moving aggressively on [it]. Because I think our customers are not wanting to integrate a lot of moving pieces on their own. They’re wanting to get the pieces integrated, working together, so that the execution of their business strategy becomes a lot easier on them. Getting the plumbing right is incredibly important, so it’s not just about security, it’s not just about identity, it’s not just about portal services. It’s about providing the right infrastructure upon which to execute your business today.
InfoWorld: Beyond shipping the new stuff in the fourth quarter, what’s the thing coming down the pike that’s going to transform the company or the space? What’s the big thing you’re looking forward to?
Bycoff: In addition to the platform, which I think is going to redefine the space and up the requirement for the competition, we continue to build partnerships upon which to execute this. Look at our relationships with companies like Accenture [and] HP, which we’ve just announced. Those are important mechanisms for us to in fact deliver this new platform. [And] as the new platform segues into Web services, I think you’ll see that the combination of all these products makes even more sense. Because the Web services piece becomes much more of a focus on security, becomes much more of a focus on multivendor and transformation of multivendor XML content. So I’m looking forward to 2003 being a year of a lot of Web services pilots that can be built upon the infrastructure that people are buying from Netegrity starting in the fourth quarter.
