With the 4th now behind us, EMC announced its acquisition of Aveksa, an Identity and Access Management (IAM) vendor focused on identity governance.
As acquisitions go, this one was on the small side so much of the security world will likely miss it as they continue thinking about fireworks, swimming, hotdogs, and hamburgers from this past weekend. All good memories, but I believe this acquisition is worth paying attention to for several reasons:
- The IAM space is in a state of transition. The IAM big 3, CA, IBM, and Oracle, established their leadership position when IAM was focused inside the enterprise on things like work flows, provisioning, and single sign-on. Yes, we still need that stuff but today’s reality of mobility, cloud, and open networks demands a completely new model. CA, IBM, and Oracle will certainly compete but history demonstrates that market transitions create new opportunities. With the acquisition of Aveksa, RSA is jumping into the evolving identity pool in a big way.
- Aveksa focuses on the business side of IAM. While IT tends to IAM plumbing and maintenance, business managers define policies, oversee access rights, and are accountable for violations. Aveksa plays in this business-centric space while plugging into IAM and security infrastructure. Why is this important? RSA is transitioning its products into a new type of enterprise-class security architecture. Security efficacy is important here but enterprise security infrastructure will also have to play at the boardroom level with the potential to lower risk, automate processes, streamline operations, and support business initiatives. RSA/Aveksa are well aligned here.
- RSA can now supplement security analytics with policy enforcement. RSA has developed a strong security analytics portfolio for risk management as well as incident detection/response. What’s missing is the other side of the equation, policy enforcement and fine-tuning of security controls once analytics detect a problem. Aveksa can help RSA add this capability over time, enforcing policies at the weakest link of the security chain – people. For example, when analytics indicate that an intelligence analyst is downloading massive amounts of classified documents, RSA will detect this anomaly and then enforce an immediate role change to preclude further damage.
Of course RSA gets immediate upside by aligning Aveksa with its existing authentication business – both traditional tokens and the burgeoning business for enterprise risk-based authentication. There will also be growing cloud opportunities in this space as well.
RSA’s biggest challenges include creating the right model and messages to weave its growing array of products into an integrated enterprise architecture and developing a consumption model for CISOs that starts with one product and adds value as new piece parts are glued together. That said, RSA is not alone here, Cisco, HP, IBM, McAfee, and Symantec have the same wall to climb. In the meantime, RSA can now fight the enterprise security architecture fight on yet another front, IAM, now that it has Aveksa in hand.