Identity Management Front And Center At Catalyst

Novell, which has been pushing hard into the identity management arena as it's seen its network software business languish, released Nsure Audit, a tracking application that companies can use to monitor all user log-in activity on a network, and the capping piece of its Nsure identity management platform.

Nsure Audit records all log-in transactions, collects them in a centralized log, and allows administrators to apply filters to produce reports on anomalous events to spot bad behavior on the part of employees. The software will also generate and deliver alerts to IT personnel when an important event occurs, such as an unauthorized log-in or an attempt by an employee to do an end-around his access privileges.

The idea is to create a secure audit of all log-ins that, if necessary, can be used to recreate the sequence of events after an illegal or unauthorized event. Recent legislation, including the Sarbanes-Oxley Act of 2002, requires companies to better track information access.

"The key is a non-repudiative audit trail," said Jeff Allen, the product manager for Nsure Audit. "That' means [identity] logging where integrity can be demonstrated, that no record [of an event] has been tampered with and none are missing."

To create such an audit trail, each log-in event is digitally signed, and multiple events can be 'chained' or grouped together, while retaining their authenticity through digital signatures.

It's not just organizations in highly regulated fields, such as finance, health care, and government, that requires a secure form of auditing log-in, said Allen, noting that companies in all areas of business are looking for a way to prove they've done due diligence on the security front if they're dragged into court. "Sarbanes-Oxley is a major driver, but it's not the only one."

Nsure is a cross between auditing and identity management solutions, said Gerry Gebel, an analyst with the Burton Group. "Consolidated auditing and reporting across all infrastructure components, including network, application and identity management, is becoming increasingly important for enterprises," he said.

On a same playing field, Microsoft, IBM, and others used the Catalyst platform to announce a new Web services security specification. Called WS-Federation, the specification is the latest in a series of moves going back to 2002 in which the two companies have led efforts to define security, identity management, and trust standards in Web services.

"WS-Federation is like the icing on the cake," said Jamie Lewis, the CEO of the Burton Group. "It's the specification for how to use WS-Trust and WS-Security to create a federated sign-on." WS-Trust and WS-Security -- among the Web services security specs that Lewis calls WS-* for short -- are among those originally touted late last year by Microsoft and IBM.

Lewis characterizes WS-Federation as a general purpose security specification, one that provides a "way to exchange security tokens of any kind." Products that comply with the spec, he said, will be able to authenticate users in transactions between different companies, business partners, for instance, which use different types of identity and authentication processes. That will eliminate the need for both companies -- and their users -- to rely on the same solution, or constantly re-authenticate outsiders who rely on a different authentication scheme.

"Web services simply won't work without some type of federated identity management," said Lewis.

The Liberty Alliance, another player in the security and identity management market, also made news Tuesday by releasing a set of guidelines it said would further the adoption of federated identity. The guidelines, which are available from the Liberty Alliance Web site, include a list of business requirements that the Alliance, which, like Microsoft and IBM, has offered up several Web services security and identity management specifications, believes essential before federated identity can bear fruit.

The guidelines are to be the first in a series, said Liberty Alliance, which will help developers assemble a Liberty-based identity implementation, and give businesses an overview of the issues that must addressed before they exchange identity information with other companies.

In other news, Novell also announced it has posted a free SAML extension to its iChain identity management service. The extension can be downloaded from Novell's Web site.

This story courtesy of TechWeb.