Computer Associates last week said it would roll out a series of software packages designed to help users manage corporate security environments.
While details of its eTrust Security Management architecture are sketchy, the company said its initial server-based products and tool kits will aggregate and track identity and security assertions, create policies and grant authentication on platforms without modifying underlying applications. The products are expected by year-end.
The concept of supporting a way to unite diverse identity and authorization schemes, such as Security Assertion Markup Language and Kerberos , figure prominently in CA's plans, says Toby Weiss, senior vice president.
The company says its goal is to give customers a way to establish trust models and enforce them across multiplatform applications. Weiss says what happens in terms of identity and authorization in one part of a large intranet is often lost across these heterogeneous systems.
In outlining CA's plans, Weiss says the basic problem the company wants to solve is how to preserve user identity and the specific level of trust accorded to it after a user has authenticated at a Web site and gained access to an internal, multivendor network. As a user moves from Web to mainframe to database applications and more, it's hard to enforce appropriate levels of authorization or capture a comprehensive audit trail associated with the user's movements, Weiss says.
Analysts say CA is targeting a real problem but are skeptical on how easy it will be to solve.
CA is looking at the problem of "loss of accountability, which happens in a multi-tier architecture where lots of applications are treated as silos," says Phil Schacter, vice president and service director at Burton Group
There is no product set that can achieve multivendor end-to-end audit and accountability in the way CA is proposing, Schacter says. "This kind of functionality typically doesn't come out of a box," he says. More commonly, it would entail the burden and expense of custom coding.
He voices doubts about whether CA can achieve this without a lot of industry partners.
CA says it has spent two years mulling the difficulty of audit and authorization in a heterogeneous network before stepping out publicly to declare it will conquer it through the eTrust Security Management Architecture.
