Today Sun Microsystems Inc. released identity software that helps businesses keep track of which employees access...
their applications and IT systems, a requirement established by the Sarbanes-Oxley Act of 2002.
The new Java System Identity Auditor from the Santa Clara, Calif.-based company allows users to generate reports showing which systems are accessed, and by whom -- as well as any access violations that may have occurred across a broad range of applications. The software also automatically sends reports to business managers when a violation of access policy occurs.
"This is about automating all of the manual work that has to go on today to comply with regulations," said Sara Gates, vice president of identity management for Sun.
Section 404 of Sarbanes-Oxley requires businesses to ensure that only authorized users have access to financial reporting applications, and that companies document any exceptions to that rule.
"Because of Sarbanes-Oxley, we need to know what is happening on our network," said Cliff Bell, CIO of Phoenix Technologies Ltd., a Milpitas, Calif.-based software company.
While some provisioning applications may be able to provide information on who is allowed to access a certain application, such as SAP, the new Sun software should make it much easier to find access violations throughout a system, said Jonathan Penn, a principal analyst with Cambridge, Mass.-based Forrester Research Inc.
"Provisioning systems can do a lot, but they require a lot of customization, and customization means expense," Penn said. "This makes it a lot easier to do."
Still, Bell said even the Sun software may not cover all his needs. He uses software from Emeryville, Calif.-based GroundWork Open Source Solutions Inc., which monitors both the activity of users, as well as devices such as servers. If a server goes down, or there is an interruption on the network, it may indicate an attack, Bell said.
"I need to monitor both people and machines," Bell said.
The market for such identity auditing systems is likely to grow dramatically as more companies try to meet reporting requirements, said Roberta Witty, a research director at Stamford, Conn.-based research firm Gartner Inc. Every public company is regulated by Sarbanes-Oxley and needs to audit who has access to financial applications, she said.
"The need [for identity auditing products] has existed ever since two people could access the same computer," Witty said. "Now Sarbanes-Oxley is forcing the issue."
She said several vendors have already gone to market with similar products, including Calgary, Alberta-based M-Tech Information Technology Inc., Framingham, Mass.-based Curion Corp., and New York-based Thor Technologies Inc.
IBM, Sun's primary competitor in the overall identity management market, does not yet have an auditing product, but Witty said IBM is likely to launch one soon.
Sun's Java System Identity Auditor starts at $250,000 and can stand alone or work in conjunction with the rest of Sun's identity management products.