Posted by Bob Craig - Dir Prod Marketing on Fri, Jan 08, 2010
The industry analyst landscape has been going through some major changes lately. In the latest development, Gartner has acquired Burton Group shortly after snapping up AMR Research in December.
As a leader in the identity and access management (IAM) market, Courion has had positive, fruitful relationships with the IAM analysts at both firms. We have a great deal of respect for the breadth of knowledge and customer service focus demonstrated by both groups of analysts and are proud of Courion's market leadership positioning in the Gartner Magic Quadrant for Provisioning and Burton's Market InSight user provisioning report.
Burton provided a valuable, independent perspective which we, many of our customers (and, yes, even our competitors), relied on for an alternative point of view. They have long had a reputation for a high level of technical expertise, while Gartner has generally placed more emphasis on the strategic business impact of IAM. While we will miss the opportunity to compare and contrast Burton's free-wheeling, technological approach with Gartner's corporate viewpoint, the combination of these points of view has the potential to significantly strengthen Gartner's IAM and other security capabilities.
We think both outlooks have a place in the market and hope that Gartner employs a "big tent" strategy that accommodates diverse points of view. Knowing the Gartner team as we do, we are optimistic they will work hard to make the Burton analysts feel welcome. It would be unfortunate if some of the exceptional, creative Burton analysts felt that their perspective wasn't appreciated at Gartner.
However this event turns out, we wish our colleagues in both organizations well and look forward to continuing to work them in the future.
Posted by Todd Chambers - CMO on Thu, May 21, 2009
CONVERGE 09, Courion's 7th annual customer conference, wrapped yesterday exceeding all our expectations. There was a lively exchange of ideas, best practices and sharing of valuable information amongst the attendees, who represented a broad mix of companies and industries.
This year's theme, "Turning Today's Challenges into Opportunities" set the stage for discussions of how, even in difficult economic times, companies can leverage their investment in Courion technology and services to improve compliance and security, while maximizing business efficiency.
Customers such as SunTrust Banks, Brookdale Senior Living, People's United Bank, Dollar Tree Stores, FirstData Corporation, and Memorial Hermann Health System discussed their strategies and results achieved with Courion technology, including best practices to reduce costs and deliver self-funding projects.
We would like to thank our premier sponsor RSA, the security division of EMC, and our featured sponsors Cyber-Ark and Radiant Logic for their participation, and especially all of our customers who took time out of their busy lives to come and make the event a success.
Posted by Kurt Johnson - VP Strategy on Thu, May 21, 2009
On the heels of our 7th annual CONVERGE conference, Sam Curry, VP of product management at RSA, posted some reactions on his "Speaking of Security" blog.
Sam and I had the pleasure of presenting a session together that explored the possibilities of a comprehensive access and compliance management strategy. The presentation explored the various complexities organizations are dealing with for a comprehensive security and compliance strategy. This includes information sprawl, identity sprawl, and infrastructure sprawl in light of increased threats and increased regulation. The reality is many security organizations have addressed this from a reactive perspective, resulting in numerous point products focused on individual points of control.
What's needed is a proactive strategic approach that addresses this from a holistic view represented by a security system or ecosystem. That is the only way to get ahead of these issues and properly balance the people process, and product requirements. In the post, Sam pulls out the top line summary of the zero sum game that's played between security and performance concerns. By adopting a true security system approach, an organization can ensure higher security doesn't come at the expense of decreased efficiency and business performance. Courion's product suite is designed around this concept, recognizing the critical importance of linking to other parts of that ecosystem, and is at the core of our partnering strategy.
I, for one, appreciated Sam's participation to communicate the aspects of this joint strategy. I appreciate our other partners and customers who participated, and was thrilled to see so many of them coming away with fresh ideas and actionable advice to further their IAM strategies. As Sam pointed out, organizations can be very successful with IAM. This success is measured in business value. When you can achieve this, you make them the happy people Sam encountered while at CONVERGE.
Posted by Todd Chambers - CMO on Tue, May 12, 2009
I thought you'd all be interested to know that, thanks to the support of our ever-growing customer base, today we announced record sales, revenues and profits for the first quarter of 2009. Read the full press release here.
Some of the highlights of Q1 included:
- Industry Recognition: Positioned in the "Short List" category in Burton Group's 2009 User Provisioning report on January 15, 2009.
- Awards: Named the winner of the SC Magazine Awards Europe in the Best Identity Management category.
- New Products: Released Compliance Manager for SharePoint, a solution designed to ensure that SharePoint sites are managed according to appropriate security policies and industry best practices.
Posted by Kurt Johnson - VP Strategy on Thu, Apr 30, 2009
It's no mystery that cloud computing is the current hot topic in the industry. Whether it's the next major "paradigm shift" (I shudder at the mere use of the term) or it's merely enjoying its 15 minutes of fame, it clearly has industry buzz. Cloud computing security is riding this wave as well, with much discussion, focus, and vendor marketing aimed at the subject at the most recent
RSA Security Conference in California last week.
In good timing, the Cloud Security Alliance recently published its initial report, "Security Guidance for Critical Areas of Focus in Cloud Computing". I agree with the alliance's belief that cloud computing represents an important trend that has the potential for major change in business with its increased adoption. I think the alliance is spot on that the basic tenants of security: good governance, managing risks, and common sense, do not change. But, it's paramount that security professionals get ahead of the curve to address the security issues as the business adopt cloud computing.
The mission of the Cloud Security Alliance is to provide best practices to secure cloud computing. Its initial report makes great strides by outlining areas of concern and guidance for organizations adopting cloud computing. Key areas identified include governance, audit and compliance, and Identity and Access Management (IAM).
While we are encouraged to see IAM addressed in this initial report, the primary focus is on the need for a robust federated identity management architecture, its insistence on standards such as SAML, WS-Federation, and Liberty ID-FF. and authentication. The governance and audit sections also highlight important best practices. While we wholeheartedly agree that these are important tenants, it's also important to address other key areas of IAM focused on identity administration and audit and instilling a strong Access Assurance framework.
The complexities of ensuring that the right users have the right access to the right resources and are doing the right things with them are increased with cloud computing. Just as the alliance states, strong security practices do not change with cloud computing. This applies to access assurances issues as well. But, managing them can be more complex, time consuming, and open to error and oversight. Access Assurance best practices are a critical component to managing this increasingly important computing (dare I say it) paradigm.
Posted by Brian Milas - CTO on Thu, Apr 30, 2009
NIST Special Publication (SP) 800-118 - DRAFT (PDF)
NIST has published a DRAFT Guide to Enterprise Password Management. Network World has commented on the draft standard. After skimming both articles, here are some additional thoughts. The Network World article starts off by describing why passwords are bad, difficult to use, written down etc. With any form of authentication, we could come up with things that we don't like about them. Hard tokens are expensive and I have to carry around another device. Or WebSSO is great, but I can't afford to refactor my legacy applications to use a new authentication model. ESSO makes systems easy to use but has a "keys to the kingdom" consideration. Fundamentally, this comes down to a trade-off between security and the service/cost that's appropriate for the business. You can't make everything bulletproof, so mitigate your risk. The content of the NIST guide has many best practice recommendations for companies to evaluate for their business:
- strong authentication 2 or 3 factor
- password policies (strength, expiration, lockout)
- securely storing passwords
- combating password cracking/guessing attacks
- education to combat social engineering
The guide also discusses password management as a broad topic, encompassing many products that relate to passwords (rather than the traditional password reset products)
- ESSO
- password synchronization
- local password management (local password vault)
I agree, that "password management" is broadening to include these capabilities, one might extend the notion of password management farther, also incorporating:
- Web Access Management
- Federation
- Privileged User (administrators) management
What are your thoughts?
Posted by Kurt Johnson - VP Strategy on Tue, Apr 21, 2009
Yesterday Oracle announced it had agreed to acquire Sun Microsystems. My friend Dave Kearns sent an email asking for reaction (for those of you unfamiliar with Dave's work, I strongly suggest you subscribe to
his blog and
identity management newsletter) and it got me thinking. Oracle's positioning is talking about providing an integrated system from "application to disk" and also lauds the merits of having Solaris and Java at its disposal. But, nowhere do you hear anything about identity management. This is of no surprise as the acquisition was not motivated by a strategy of combining identity management solutions. However, if you're a Sun identity management customer, you have to be concerned due to the significant overlap between Oracle's and Sun's IAM product lines.
So, this got me thinking about the importance of the "new" vendor viability. As an independent player who is a wee bit smaller than some of the companies we compete with in the IAM market, Courion sees vendor viability thrown in our faces at times in competitive situations. Although we've demonstrated product innovation and leadership (according to Gartner and Burton Group among others) and are recognized for a strong track record of customer success at a fraction of the overall implementation and service costs, our competition (including Sun) would throw the viability FUD in there to try to wrestle deals away. Comments such as "They're too small"; "They're not going to be around much longer"; "We're going to crush them" have all been things we've heard in selling cycles for a long time.
Well, I believe the Oracle Sun acquisition highlights where the real viability concerns lie. Clearly the IAM business was not a consideration of Oracle when acquiring Sun. There is tremendous overlap between the product sets and one can only suspect that Oracle will be announcing an end of life plan for the Sun Identity Manager products before too long.
Consider other announcements over the last few years. HP acquires Trulogica as an entry into the identity management market only to announce a few years later that HP was getting out of the business. Similarly BMC announced it was dropping traditional identity management. After acquiring Netegrity, much of the original Business Layers identity management products have been "evolved" by CA under a completely different architecture. It sure appears to me that size has nothing to do with IAM vendor viability.
IAM is what Courion does. We can't afford to give away hardware, operating systems, databases, or anything else if the project goes bad. We must have customer success for each and every project as there is no other way for Courion to "make it up" to the customer. Clearly a company like Courion is not planning on getting out of the IAM business.
IAM is a strong and growing market, and is still a top priority in even the current economic climate. But, when vendors use their IAM business as a way to help pull other products and push infrastructure on customers, success is measured in more than pure IAM revenue. True vendor viability concerns should be focused on these larger organizations and prospective customers need to look carefully at the nature of their commitment and the viability of their overall business. The commitment these organizations have to IAM should be a major concern. Courion's focus for IAM is to solve real, critical business problems. Its purpose is not to sell other pieces of infrastructure. This is what we do and we like to think we're doing it pretty well. We're growing. We're profitable. We've got a customer base full of happy customers. That all sounds pretty viable to me.
What are your thoughts?