Today RSA Security, a part of EMC [officially it’s “RSA, The Security Division of EMC”], has officially announced the acquisition of Aveksa, a company based in Waltham, MA. The deal closed on July 1st, 2013. Aveksa is a leading provider in the area of Identity and Access Governance (IAG), as depicted in our KuppingerCole Leadership Compass on Access Governance. Aveksa will continue to operate under the current leadership of its CEO Vick Viren Vaishnavi and will be part of the RSA Identity Trust Management business. Aveksa currently has approximately 175 employees.

One might ask why RSA did not enter the “core IAM” business earlier, when it was mainly Identity Provisioning, but for some years now that core has been complemented by and shifted towards IAG. Many people had expected such a move from RSA, given that they deliver in several other areas of the IAM market, including Strong Authentication, Versatile Authentication, Access Management and Federation. With the Aveksa acquisition, RSA definitely has made a move in that direction.

Instead of focusing on the traditional Identity Provisioning market, they focused on the emerging IAG market segment. Aveksa delivers some built-in provisioning capabilities but clearly does not have the breadth of connectors that the key-players in that market segment provide. However, with IAG increasingly becoming an integration layer for existing “legacy” provisioning tools, Aveksa has emerged as a major player. By adding some provisioning capabilities, customer requirements can be typically covered. Aveksa builds here on an enterprise-grade approach based on an Enterprise Service Bus (ESB) as the transport layer. Support for manual fulfillment is another important approach. Simply said: The number of connectors is not the key decision guage. The main measure  is the support for a structured and user-friendly approach to Access Request Management, Recertification, and Access Analytics, including the underlying Enterprise Role Management.

However, the real potential of that acquisition is not that RSA as of now can provide a solution for IAG. The potential is in combining the capabilities of both companies to open new grounds for Access Governance, beyond that which is common today. In my presentation about “Redefining Access Governance: Going well beyond Recertification” at EIC 2013, I talked about eight areas of advancement for IAG – and I admittedly missed one in that list that I covered in other presentations, which is IAG for Cloud Services. The video recording of the session is available online.

There is much room for improvement. Aveksa is a strong player in IAG. RSA adds not only Access Management and Federation, but strong and versatile authentication. And there is RSA Archer, an Enterprise GRC solution. The combination of RSA and Aveksa is, by the way, the only one in the market where strong authentication and IAG come together in one vendor. That will allow creating Access Governance for risk- and context-based authentication and authorization, the next big trend in IT. My colleague Dave Kearns and myself both talked about that topic at EIC 2013 and Dave will do a Webinar on this topics later this month. Governing the rules for such environments and adding analytics for that is a field of high interest. And this is clearly not the only area where both companies can leverage synergies, given the tight relationship between cyber-attacks and Access Management and Analytics.

RSA and Aveksa have started talking about some promising ideas, even in the context of EMC. EMC can add Big Data capabilities that allow moving IAG to the next level when it comes to analytics. And not only that: Combining authentication information, external threat intelligence, risk analytics etc. – all in the combined portfolio – might lead to game-changing offerings.

So there is strong potential. Let’s see whether, how, and when RSA delivers on this potential. Still, when looking at acquisitions the other important question is: What does it mean to existing customers? The good thing is that there is virtually no overlap between the current product portfolios of these two companies. Thus, there are no products that are likely to be discontinued. In fact, for RSA customers there is really the chance for new and advanced offerings. For existing Aveksa customers, the acquisition means that their supplier right now is not a niche player anymore but part of a far larger vendor, with substantial financial backing and a far broader portfolio. Thus, there is a strong potential that this turns out to be positive for existing Aveksa customers.

But as always: Only time will tell.