One approach for policy management

24.08.2008 by Martin Kuppinger

Some weeks ago Evidian, one of the European vendors in the Identity Management market, has announced that they are in the lead of an European research program for multi-domain policy management. The program called MULTIPOL is part of ITEA 2 (Information Technology for European Advancement), a set of EU-sponsored initiatives in the IT space.

The focus of MULTIPOL is mainly around multi-domain authorization, e.g. controlling access according to different security policies from different domains. The reason why: There is no internal network with a strong perimeter any more. Networks are becoming increasingly open. While authentication has been solved by approaches like Federation, the handling of policies for access control and thus authorization is still an issue.

We will observe this initiative, with Evidian as lead and ten other major European IT companies as participants. Policy Management beyond the border of one system is still amongst the things which have to be solved.

Some years ago I’ve written an article on policy management, stating that companies aren’t solving the problem but just are moving it to the next level. That was when more and more vendors told me the stories about their policy management capabilities they had built into their products. Usually they’ve built one policy management per product. So, instead of 100 products without policies there were 100 with policies. Different, incompatible ones.

The approach of Evidian is one interesting approach besides others like the idea of claims-based authentication and authorization Microsoft/Kim Cameron have published. Given that Evidian has a long experience especially around managing access, there might be some valuable outcome from this project – despite the fact that it is a EU-sponsored project.


The language of the customer

15.08.2008 by Martin Kuppinger

This morning I was working on some slides for a sales training I will do for a vendor these days. When clicking through my slides I found some older slide I have used some three years ago the first time. It was about the sometimes different understanding customers and vendors might have of the same terms – or the missing understanding of terms by the customers.Terms like Meta Directory, Federation, Virtual Directory, Reconciliation, and so on.

In this context, a conversation I recently had with Hassan Maad, COO of Evidian (one of the definitely underestimated vendors in the market), some weeks ago. He said that from his experience the term “access” is much more meaningful to the customer than “identity”. He is right – everyone can imagine what we are talking about when we talk about “access”. “Identity”, on the other hand, is a more fuzzy term.

Another recent experience was about the way vendors are selling there tools. In a current strategic consulting project, I had a discussion with the customer about the evaluation of tools. The customer had had several sales presentations from different vendors. When comparing the customers rating of the vendors with our view, there were in some two cases really big differences. The reason for this: The sales people had used their common, typical terms, didn’t focus on the needs of the customer and, in one case, focused on an architectural approach which the vendor has significantly changed over the last two or three years. Looks like the sales guys once have learned some USPs (unique selling propositions) which appeared to be “unique”, but not necessarily “selling”. While the vendor adopted his product, the sales guys are still using these old Non-USPs instead of telling the new story.

There is something common within these obversations: In every case it is about hitting or missing the expectations of the customer. It is very easy to loose in using terms which the customer either doesn’t understand or misinterprets. It is as well very easy to loose pitches in telling the wrong story, either an ancient one or one that misses the expectations of the customer.

Thus, it might be a good idea for the entire industry to rethink their wording. Take “reconciliation” – not that easy to understand, especially for people whose native language isn’t English. Or “entitlement management”: I’ve never met anyone who understood that without further explanation. Not that bad for us analysts, because explaining things is part of our business.

And, if your job is about selling Identity and Access Management or GRC (Governance, Risk Management, Compliance), it is always a good idea to first think about the “customer customer” (whom are you talking with – and which are his obvious business needs?), the industry (not every industry has the same requirements), and to talk about the requirements of the customer first before talking about your solution. Listen, than talk. And talk in a language everyone can understand – or shortly explain the specific terms you can’t avoid.


HP, Novell, Oracle,…

06.08.2008 by Martin Kuppinger

Some time ago HP decided to stop the further development and sales of their IAM products, even while they will support existing customers. Since then, Novell announced an agreement with HP with a special cross-upgrade offer. And, since then, there are a lot of rumours about other partnerships in the market. What is the reason for this?

To understand this one first has to first understand the structures of HP. HP is a pretty big and diversified company. There is the consumer business, there are printers. In the enterprise IT area, we still have three different divisions:

  • Software (by far the smallest division)
  • Hardware
  • Services (consulting, integration,…)

These divisions have different strategies. And they have different partner strategies. The agreement between Novell and HP is from the software division. The services have, also depending on the regions, sometimes another view. Thus, none of the partnership announcements of HP around IAM should be overestimated.

From my perspective, it is much more important for existing HP customers to rethink the IAM strategy. Will you use HP software – and until when? And what are your vision, your strategy, your operational requirements for IAM? Thus – which way will you go? Which software vendor fits best? Which integrators suite best for your targets? Given the fact, that IAM becomes more and more business driven, integrated into the GRC and/or BSM context, you should first redefine and update your IAM strategy and afterwards select the best vendors and partners for you. That might be Novell, Oracle, or someone else.

And you can bet on that your IAM strategy has to be updated compared to what you had in mind some years ago when deciding for the HP solution – because there has been a lot of progress in IAM since then.

The costs of software licenses are a small percentage of the overall costs of IAM projects. Thus, these costs have to be considered but aren’t the main criterion for a decision. The main criterion is that what you’re doing there fits to your IT strategy and is aligned to the business requirements.

One thing to add: HP isn’t out of IAM – at least not the services division. Again – there are several divisions at HP doing their one thing, and HP still provides and will continue to provide services for IAM, based on software of other vendors.


BMC again…

06.08.2008 by Martin Kuppinger

My colleague Felix Gaehtgens recently has blogged about his discussion with Tom Bishop, CTO at BMC, about the BMC strategy for IAM. His findings are very consistent with the blog of Tom Bishop which was published some weeks later and appears to be some indirect response to Felix.

It is obvious that many BMC customers are insecure about BMC’s strategy for IAM. There have been several changes, as well in BMC’s organization as in the way BMC is adressing this market. BMC has moved the development of the IAM functionality to India, where they are developing as well other major parts of their products. Some people from the IAM team – as well from the product as the sales/marketing side – in North America and EMEA have left BMC, including Jeff Bohren, one of the guys behind SPML. Even while BMC states that there are more people involved in IAM activities than before, there are some still some open questions left. Read the rest of this entry »


Services
© 2014 Martin Kuppinger, KuppingerCole