Inside Avatier’s Goals to Modernize Identity Management
September 25, 2024 Alex Woodie
When Nelson Cicchitto founded Avatier back in 1997, the company focused on providing identity management and access for a single platform: Windows NT. Nearly three decades later, the company’s core goals around enabling identity management and access haven’t changed, but the its platform reach and technical capabilities certainly have grown, as Cicchitto said in an exclusive IT Jungle interview.
You may not have heard much about Avatier, the small Pleasanton, California-based developer of identity and access management solutions that’s been quietly building a base of 500 customers around the world. As far as IBM i vendors goes, the company keeps a relatively low profile, although it did attend the COMMON POWERUp 2024 conference and is becoming more visible in community events.
But as customers put more focus on good security and authentication practices, the odds that you’ll run into Avatier and its solutions increases. In a recent interview, Cicchitto explained Avatier’s basic goals and where he sees the company and the industry going.
“Avatier is an identity and access management company,” Cicchitto said. “We allow you to effortlessly connect, provision, deprovision, and reset passwords across your entire enterprise, and your IBM i environments as well.”
What makes Avatier unique, he said, is its capability to deliver a range of identity management and access solutions – its products include Password Management, Lifecycle Management, Single Sign-On, Access Governance, and Group Self-Service – behind a single pane of glass. Whether it’s end users asking for a password reset, or a manager approving or rejecting a request for greater access to data or certain applications, the user experience across the different tools is designed to be consistent.
Avatier’s solutions are architected to work with an array of other elements in the tech stack.
That consistency is particularly important for large companies that are managing hundreds of thousands of users across hundreds of applications running on a dozen or more cloud platforms or enterprise systems. Avatier’s flagship product, Identity Anwhere, supports all of the major computing platforms, including Windows, Unix, Linux, IBM i, and System Z, and has direct integrations for many IBM i-based applications, including JD Edwards, Kronos, and Agilysys, among others.
About 10 years ago, Cicchitto decided to shake things up a bit. The identity and access management industry had become “stale and stagnant,” and he looked for a new path.
“We said we wanted to reinvent this industry,” Cicchitto said. “Everybody’s kind of doing everything the same way. Everyone from SailPoint to Okta to all of the leading competitors in this space. What we said is we want to reset.
Avatier looked at three high-profile vendors to model their new platform on. The first company was Netflix. No matter what device or platform you’re accessing Netflix from, the experience is always the same. Netflix served as the standard-bearer for the company’s “write once, run everywhere” goal.
It admired the push notifications that are available in the Uber and DoorDash applications. “We thought what was missing from this industry is your IBM i users and other employees could not request anything and there was no push notification,” Cicchitto said. “We really liked the way DoorDash and Uber did this. You know when your ride is arriving, right? Well, you should know when your access is arriving as well.”
Avatier’s Identity Anywhere product can run in the cloud and provide user access to systems running on-prem and the cloud.
Finally, it looked to Google, which invented the modern concept of containers. Containers not only allows users to scale hardware up and down as needed, but it also provides the substrate for continuous delivery and orchestration.
“As you know, all of these products are built with software bill of materials. They include hundreds of third-party products that need to be updated constantly, and those products could contain vulnerabilities,” Cicchitto said. “We want to be able to push out the latest security changes if there is a zero-day exploit immediately to our customers base. So that was another reason for the new design.”
Using containers provided another benefit besides scalability and high availability: security. Customers can run Avatier software in their own cloud instance on any public or private cloud, which elevates security.
“Some of our large customers have millions of identities, so we’re managing those million identities across multiple containers, maybe 10 or 20 containers or pods,” Cicchitto said. “But the key here is this agent, and that’s what’s talking to the IBM i or to the IBM Cloud or to SAP or anything on premise. This agent’s hyper secure. It’s running over [port] 443 so there’s no firewall rules that you have to worry about. It’s encrypted to your private instance, so you have your own encryption. It’s secured through an SSL certificate, and it’s whitelisted to your servers in the cloud. So it’s very hard for a hacker to be able to attack anything like that. And that’s what’s doing all the safe communication to the IBM i.”
Avatier products work the same across different devices.
There are technically two agents in Avatier’s architecture for IBM i: One that sits on-prem on a Windows box and communicates with the core Avatier software running in the private or public cloud, and another IBM i-specific agent that sits on the IBM i server. That agent runs under QSECOFR to provide access for creating and changing user profiles, etc., and it communicates with the Windows agent via RFC (remote function calls).
While Avatier has clearly put great thought into developing a secure architecture, the company puts an equal amount of effort into making the user experience as simple and painless as possible. For starters, the product delivers the same user experience across all client devices, including Android and iOS phones or Web browser plug-ins.
The product supports all of the major directory products on the market, whether they’re from IBM, Microsoft, Okta, Duo, Ping, or others. It supports password-based authentication as well as non-password-based authentication using FIDO-2 or OpenID Connect specifications. You can log in with your mobile device, a fingerprint, an RSA device, or one of a number of authenticator apps, such as Microsoft Authenticator.
“We also have our own MFA questions and answers and one-time passcodes [via SMS], which is nice because you can layer,” Cicchitto said. “You could say ‘I want to log in with Microsoft Authenticator but then I also want to ask some questions from Active Directory or Avatier private questions that the user entered in when they enrolled.’ So we have some nice capabilities there.”
Administrators have access to additional capabilities, such as executing password resets or approving or denying access requests. Cicchitto’s demo shows that the company is using the latest user interface techniques to make the experience intuitive for administrators. A built-in workflow system also keeps administrators on track, and presents admins with additional information to be able to determine whether the requesting user represents a high risk or a low risk.
Following the MGM hack, Avatier added a feature called human assisted multifactor verification that enables the admin to ask additional questions if it’s determined they are a high-risk. For instance, the admin could ask a user what was the last system she logged into today? If the user’s answer matches what Avatier surfaces to the admin, it provides further confirmation that the user is who she claims to be.
“We really wanted the casinos to feel safe that when they’re running our solution, we’re going to confirm their identity and avoid what happened to the MGM-Okta hack,” Cicchitto said.
One of Avatier’s customers is The Cosmopolitan of Las Vegas. The luxury resort runs the standard allotment of IBM i applications for casinos, including lodging, restaurants, the casino floor, and HR and financials, from Agilysys, Infor, Kronos (now UKG), and others, and uses Avatier’s solutions to manage user provisioning and passwords.
Providing a zero-trust administration experience, where internal users have access only to what they need and nothing more, is Avatier’s top selling point for IBM i customers, the CEO said. The capability to run in the cloud and work with the wide range of systems and applications is another. Cicchitto cites a comprehensive auditing function as additional benefits, as well as a low-code or no-code integration with existing systems.
Installation and setup is included with subscriptions for Avatier’s software, which start at about $25,000 per year for a 500-user subscription. You can find more information at www.avatier.com.
