26.11.2009 by Martin Kuppinger
German vendor Beta Systems, one of the well established vendors in the core IAM market, e.g. provisioning (notably, they provide other solutions as well), has recently unveiled the new version of its provisioning product, now called SAM Enterprise Identity Manager – in contrast to its former name SAM Jupiter. That highlights that this product is part of a specific market segment, the identity provisioning products – most of them are named “Identity Manager”. It as well shows that Beta Systems understands this release as a really major release.
And, in fact, it is. Amongst the broad set of new features, there are two really important ones:
- Beta Systems has finally managed to merge the two releases of its product. Until now, there has been a host-based and a Windows/UNIX based version. The new version runs on all platforms and has, in addition, broader platform support as well for databases and other infrastructure components. Thus, maintenance and development right now is easier for Beta Systems. And, furthermore, customers can now much easier pick their platform of choice.
- Beta Systems has added multi-tenancy capabilities, being amongst the first provisioning vendors to do that. That is not only interesting to (external and internal) service providers but as well to large organizations in industries with strong compliance regulations which for example have to enforce different segments of IT administration for different parts of the organization – like sometimes in banks.
I especially like the multi-tenancy approach because that will become a mandatory feature in provisioning tools over time.
19.11.2009 by Martin Kuppinger
One issue when dealing with GRC (Governance, Risk Management, Compliance) is that there is no single person which is responsible within organizations. And there is a simple reason for that: There are far too many GRCs out there. Vendors provide completely different offerings using the same acronym. That’s not new, but in the case of GRC, there is even more uncertainty raised than usual in the IT industry.
From my perspective, the solutions might be segmented into four layers:
- The so called “Enterprise GRC” which should be better named “Business GRC” or something because the other technologies are as well around the “Enterprise” but sometimes more focused on IT. Vendors in that space are, amongst others, companies like OpenPages, Bwise, Mega. The focus is on business risks and business controls, a high level view and frequently mainly on manual controls.
- The layer which is best described with the term “Continuous Controls Monitoring”, which is about looking at specific IT systems and issues from a business perspective. Order processes, delivery status, and such things. Typically there is a mix of automated and manual controls, and some systems focus more on specific enterprise applications (billing,…), whilst others focus more on the consistency of the entire process. Vendors here are, amongst others, companies like SAP (Process Control, Risk Control) and Oracle, mainly for their environments, and such ones like Approva.
- The layer which I’d call “specific/specialized GRCs”, amongst which IAM-GRC solutions (sometimes called “access governance”) and SIEM solutions are the most popular ones, even while I’d add several service management tools as well as long as they focus on service fulfillment and the service management process itself. These tools provide much more depth on specific controls, typically only a small subset of all IT controls. IAM-GRC for example focuses on roundabout 4 of 210 COBIT controls, the ones around identity and access. However, the level of automation is significantly higher and controls are much more specific. In each of the segments here we have a lot of vendors.
- System-level tools around operations management, system-level auditing, integration of system-level logs and that stuff – tools which really do a deep dive into the access controls of file servers and shares and other aspects.
With a big picture like that, it becomes obvious, that we have several elements within a GRC strategy. Business and IT have to work closely together to define what is needed in which area and how these tools interfere and how they have to be integrated. With this view, the need for a single person as responsible one for GRC diminishes. There are at least two, one at the business and one at the IT level. And there are even more for different “operational” tools at the lower levels.
If companies have defined their big pictures, it is easier for them to identify which tools they need to implement it. And it is easier for vendors to identify the persons to speak with.
More important from my analyst perspective is the first aspect: Companies which don’t have a clearly defined strategy on GRC will most likely end up with a mix of tools, non-integrated, not always providing the required features. Thus: A GRC roadmap and a GRC architectural blueprint are mandatory.
More about the system-level aspects might be heared (for the ones who read this soon) at our webinar today. A replay will be available soon.
Even more information about this topic and especially the IAM-GRC aspects (Access Governance) will be available at the Kuppinger Cole Virtual Conference on this topic December 8th to 9th. Registration for that conference is free.
Posted in GRC
05.11.2009 by Martin Kuppinger
Within the last few months, I’ve read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don’t believe, for several reasons:
- There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others – and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press way…).
- In days of economic turmoil (and we are still in these days, despite the quick recovery of the bonus mentality in financial institutions), customers tend to first drop external services before they fire employees – that affects MSS.
- Outsourcing is sort of a “big beast” which is diffcult to tame. It takes a long preparation, it is inflexible. Overall, it needs to adopt to become more flexibile and easier to use. Cloud Computing with its granularity of services is an approach to address the shortcomings of outsourcing.
- A feedback I had from multiple CISOs regarding MSS is that the quality of service and the level of contol frequently is insufficient – thus it is about implementation and delivery of MSS, not the overall concept.
Two reasons why the Cloud (in my understanding of an approach for a flexible use of IT services with the ability to switch between and choose the best provider, internal or external – e.g. much more about service than about external things from the Internet) will be successful shortly explained:
- If you think about a matrix like shown below with two axis, Outsourcing is just sort of the specialized approach to the cloud. And from our expectations, the sweet spot for most providers will be around “community clouds”, in the centre of this. That potential for industry clouds, community clouds, and point solutions isn’t unveiled yet. Thus, there is much more in the cloud than is discussed today.
- The cloud is not new. It didn’t just appear at the sky but grew over years. SaaS is out there for a while, service management as well. Not even to talk about outsourcing. The cloud is, from my perspective, just the result of an evolution from a tactical, opportunistic use of external services towards an strategic approach on how to best provide IT services (external vs. internal). We’re at sort of the “break-even”, to use an analogy.
By the way: The biggest risk for the cloud is too much marketing. But that was the same with Client Server, the Internet, and many other things. None of them disappeared, but all big changes took years to become reality. The same is true for the cloud.
I appreciate your feedback on that! And see you at EIC 2010 and Cloud 10, both to be held in Munich, May 4th to 7th, 2010.