Beyond ID Management: How VARs Can Secure SMB Biz

Identity management in the VAR channel is not the all-in-one black bucket it is in the enterprise space. Instead of customized frameworks for provisioned, single-sign-on, directory-integrated identity management, in the SMB space there are opportunities to sell identity modules, says Mike Neuenschwander, Burton Group research director.

"VARs that cater to very large businesses fit more into this enterprise model and make a good living," he says. "But because of their limited resources and simpler networks, SMB users are really looking at plug-and-play identity components. And there really aren't a lot of them out there in the channel."

Doubtless, the pickings are slim for VARs venturing into the ID-management market, where Neuenschwander says only BMC, Microsoft and IBM have some presence in the SMB channels. But there's plenty of opportunities for VARs looking beyond traditional ID-management frameworks.

VPN, single-sign-on, provisioning, Web-access controls, authentication and Federated Identity are all technologies in their own right. And they'll all fuel additional software revenue in 2007, according to VARBusiness' State of Technology security survey. The upsell opportunity is integrating these components with other security and identity technologies.

"When we go into [our client] sites, most of their passwords are defaults or 'password,'" says Steve Hart, president of Advantage Microsystems in San Francisco. "So the first thing we do is turn on Microsoft's Group Policy Manager and initiate change-password requests on the server."

In Microsoft environments, this creates a nice segue to upsell Active Directory services, particularly since the software company has integrated core identity and access services into Windows Server Active Directory to make it more user-friendly for SMBs.

"Our estimates put Active Directory in more than 50 percent of midsize organizations--companies with 50 to 99 PCs. VARs have been key to our success in this segment," says Michael Stephenson, director of identity and access management at Microsoft. "We also see an opportunity for VARs to provide more advanced identity and access solutions."

Cost savings are one factor driving this channel, says Stephenson, who points to an IDC study that reveals customers are saving $120 per desktop per year by standardizing on Active Directory for authentication and single-sign-on. Another driver, particularly for the health-care, government and financial-services verticals, is regulation, which is pushing all businesses with regulated data into multifactor authentication, he adds.

That may explain how VeriSign wound up on the top of the list of vendors best-suited to provide ID management, according to VARBusiness' security survey. VeriSign, an authentication and credential-management vendor, doesn't label itself as an ID-management player. Fran Rosch, VeriSign's vice president of authentication solutions, attributes the vendor's placement on the ID-management list to its new Web-services model, which makes it easier for VARs to deploy VeriSign's technology at smaller sites, and to the company's Federated Identity network, which allows SMBs and their customers to leverage and share their identity credentials among a larger network of registered businesses.

Think Big

Ultimately, all of these ID-management components will need to come together in some sort of framework like Microsoft's, says Jon Freeman, founder and president of Mycroft, an IT services and ID- and storage-management VAR in New York. But even with better pricing models easing entry into the ID-management space, customers will have to pay big bucks for installation, he says, adding that his average engagement is for 2,500 users.

"The ramp-up time to become a competent resource for identity provisioning and user access is anywhere from six to nine months," Freeman says. "But it's worth it when the consulting services alone on a typical project could be $150,000."