BMC Software on Wednesday announced enhancements to its CONTROL-SA provisioning tool that focus on ease of use and deployment as well as scalability and integration.

CONTROL-SA helps enterprises automate the process of provisioning access to applications and system resources to employees and business partners. Such systems are intended to improve enterprise network security, because they help enterprises ensure users have access only to the resources they require and, conversely, make it simpler to revoke all access rights, such as when employees leave the company or the company severs ties with a business partner. The systems also reduce administrative costs associated with the provisioning process.

BMC is now offering an agentless deployment option with CONTROL-SA, in addition to its existing agent-based technology. Whether a product uses agents is a subject of debate in provisioning circles, with agent-based vendors saying agents allow for more fine-grained control and real-time enforcement capabilities, while the agent-less approach eases deployment.

"We don't subscribe to a 'you must be agentless or agent-based' philosophy," says Steve Lesem, vice president and business unit field executive for BMC's Security Solutions business unit. "We ask, 'What are the security requirements of the managed environment?'"

Web-based Management Console

For example, an organization may choose to deploy agents on its handful of servers that support significant financial data, thus providing features such as online password intercept to ensure that any action taken on the server associated with access rights is checked in real time against the policy for that server. Agentless technology, which uses a polling mechanism to verify access rights, may be adequate for the company's more numerous -- but less sensitive -- file and print servers.

Another new feature intended to ease deployment is a Web-based management console, adding to the existing Windows-based interface.

"A number of customers wanted the flexibility to deploy the console via the Web vs. a workstation," Lesem says.

Also new is the Multi-Region Enterprise Security Station, which allows deployment of CONTROL-SA servers in various regions around the globe. Each server can be under local control, with policies suitable for that region, while a central console provides a consolidate view and data synchronization features. In addition, the feature is intended to promote scalability. Lesem says one customer is using it to handle some 500,000 user IDs.

BMC is also embarking on an open integration initiative, whereby it is opening up its APIs to other companies that provide workflow automation, as well as to end users. The initiative enables companies to integrate homegrown workflow applications into CONTROL-SA as well as tie in third-party applications from vendors including Oblix, which makes an identity management tool.

"As standards emerge from groups such as OASIS and we can move our integration points to those standards, we will do that," Lesem says.

Finally, BMC announced it will deliver an LDAP server from Radiant Logic, Inc. to all new and existing CONTROL-SA customers, enabling various LDAP-based applications, such as reporting and audit tools, to access the CONTROL-SA repository.

All the enhancements are expected to be available by the third quarter. CONTROL-SA pricing starts at $78,000 for 1,000 users.