Today I read a press release from Novell where they claim that most enterprise don’t realize the value of Compliance. For sure, if you think about Compliance, then most of us first think about the pain of being compliant. More reports, more rules, new applications,… And, honestly, Compliance is first of all something reactive, avoiding penalties.

But there are as well some clear advantages, like we’ve mentioned several times. This is especially true if you look on it from a general “Governance, Risk Management, Compliance”-perspective. There are, especially in the risk management area, clearly visible opportunities for enterprises. Detecting, managing and thus reducing or avoiding risks brings value.

The other important aspect is that the process maturity of corporations increases when they start to implement enterprise-wide GRC approaches (even while today mainly the even process-mature corporations are implementing these solutions). Defined processes and integrated data about what happens in the enterprise are drivers for optimization. GRC done right and in the context of business process optimization is a key instrument for the management.

IT has to provide the technology to implement a consistent, automated GRC approach. “Manual” Compliance way to expensive. It requires tool support. But with this approach, where IAM plays a central role, IAM will change - it will become a part of a bigger thing, integrating GRC (and, in this context, Business Role Management) and what I name “Enterprise Information Management” (look here and here).

I definitely agree with Novell on their point that there is business value in Compliance. But I’d like to add: The real value is only visible from an enterprise perspective. From an IT perspective, Governance/Compliance automation is cheaper than manual work - but first you have to invest into IT. Thus, if IT likes to argue with Compliance to gain budgets for their infrastructure improvement they have to argue from a management perspective and an IT perspective and must not remain in their IT-only view of the world.

The acquisition of MaxWare by SAP finally has led to a new competitive situation in IAM. I define four segments or clusters of vendors in the market:

• The ones with focus on the business process
• The ones with focus on business service management
• The pure (or mainly) IAM vendors (and the ones which have a broader IAM portfolio but not integrated that into a higher level vision)
• The specialists 

To start with the first segment - these are the vendors who compete for becoming the leading supplier of the infrastructure for business processes. To do this, they need IAM to provide identity services into the new SOA-based business processes. The main vendors in this cluster are Oracle, and SAP (in alphabetical order…). Both of them are working on identity services, both two as well are working intensively on or providing solutions for GRC (Governance, Risk, Compliance). You might add Microsoft to this segment because their main target is a vital role in the business process battle.

The second segment are the vendors with an infrastructure management history who today provide solutions for Business Service Management (or Business Technology Optimization or however you name it). The most important ones in this segment are BMC, CA, and HP. Yes, for sure - HP also has some service focus but the big story is about BTO, in their case. IAM is, from the perspective of these vendors, mandatory as a central part of the IT infrastructure to be managed. You might, by the way, add Völcker Informatik to that segment. They are no full BSM vendor but their philosophy is driven by many of the same ideas.

Then there are the IAM suite vendors like Evidian, Novell, or Siemens - and many others like Beta Systems, Courion or M-Tech. For some vendor you might discuss whether he is part of this cluster or a specialist but that will become more clear with my definition of that segment later. These vendors are providing sort of “standalone IAM”, with more or less completeness of their portfolio.

The specialists are vendors which focus on specific aspects of the broader IAM landscape. These include companies like SECUDE, Sxip, Ping Identity, Sailpoint, Titus Labs, G+D, or Bhold, to name just a few.

If you look for the big names in the list there are some missing, notably IBM and Sun. They are the typical “somewhere-in-between-vendors”. I’d put IBM in the BSM cluster, Sun in the “pure IAM vendor” box as the best fit. But as mentioned above you could also discuss about the positioning of HP, Voelcker and other vendors.

The more interesting question is about who will be the winners in this new formed competition - and the loosers. The most difficult situation, from my point of view, is the one of the “pure play IAM vendors”. Specialists might always find there place in the market or become acquired. But the IAM vendors who haven’t been acquired until now will have to rethink their positioning. Might they add something to enter another segment? Evidian might, being a vendor in the systems management space at well. Besides they are a specialist in E-SSO and they have a new focus on mid-sized businesses. Siemens has large customers and its eHealth specialization, plus some Telco background. So there are opportunities for further success for virtually any vendor in the market. But some might have to really think about their strategy to achieve a positioning which makes them competitive even three or five years from now.

During an analyst briefing I had some days ago with a leading vendor in the BSM space around the role Identity Management plays for BSM (which is quite important, given the fact that all leading BSM vendors are IAM vendors and that IAM plays a significant role within ITILv3) we came to the conclusion that there is no ERP for IT. There are specific ERP solutions for Finance, Customer Relationship Management, Product Lifecycle Management, and so on. But there is nothing for IT. That automatically led to the question whether BSM might fill this gap.

The discussion also was sort of a reminder to another talk I had some months ago with the CIO of one of the German DAX companies. His vision is about an IT with clear knowledge on its costs thus being able to predict the TCO (and not only development costs or an initial investment into infrastructure) of new “Business Services” IT delivers. These services might be applications or infrastructure services. He’d like to be able to predict the cost per user, the cost per use of a specific service or whatever you want. This ability would be the basis for a factual discussion about IT services and a granular accounting and might even lead to an IT department which is sort of a business centre (like an Outsourcer) and not only a cost centre.

Both discussions are around the way IT acts, about the role of Business Service Management and, in fact, about ERP for IT. The BSM approach which is required for that type of solution will go well beyond todays infrastructure focus. BSM itself is much broader than the IT infrastructure service focus of ITIL. But for that approach it will have to include much more functionality around application and service (in the sense of web services) management, something which isn’t covered that much by most BSM vendors today.

I personally believe that sort of an ERP for IT will be very interesting, proofing the fact that IT is today an important enabler for business and not just a technology department which burns money. The question is whether it will really be some of the large BSM vendors who deliver that new type of application or whether the ERP vendors will be the ones. I’ll wait and see.

You might ask yourself what this has to do with IAM (Identity and Access Management), my core topic. Well, first of all IAM is not my only topic. BSM is one which becomes more and more important for KCP due to the relationship to IAM - and one I’m doing research for quite a long time now. Besides this, there is another ERP for IT thing I’m currently thinking about. May be I’d better call it EIP for “Enterprise Information Planning” but it’s about enterprise control of information, the next real big step in IAM. I’ll cover this in one of my next blogs.