These days I’ve read some entries in the Beteo blog, a blog provided by a swiss software and consulting company which is somewhere in between SOA and BSM - or BTO, the term they tend to use due to some affinity to HP. The interesting thing is that Beteo not only claims but proves that Service Management principles and tools which are commonly used more in the IT Infrastructure Management can be applied to the field of Software Change Management as well. Beteo, a company I’m in contact with since they’ve been founded (and I have been in contact even with their predecessor), uses this concept with success especially in SAP environments.

That leads to the obvious conclusion: There should be a much more common service understanding. There should be one BSM approach on the upper layer. BSM, as real business service management, should really address the business aspects like

• Defining services from a business point of view - like “manage a contract” including storage, access rights,…
• Mapping these business services to IT services
• Manage these services from a business perspective, e.g. accounting, controlling (do we need these services really?),…

The next layer are IT services, e.g. the more technical services IT provides to deliver a business service. These services can be managed with ITIL principles and - at least to some degree - with today’s so called BSM tools.

Whether the mapping of IT services to the IT implementations of business processes is part of the IT service layer or the business service layer is a matter of definition. I tend to place the description of business process at the business service layer and the implementation of business processes in IT - and thus, the relationship of these processes with IT services - at the IT services layer.

Anyhow, there is a layer below for the different types of IT services. Today, BSM focuses mainly on IT infrastructure services and provides mainly an ITISM (IT Infrastructure Service Management) - and not an ITSM (IT Service Management) or a real BSM (Business Service Management).

Besides the IT Infrastructure Services we have IT Application Services. These services tend to be more granular, down to web services and so on.

But regardless of the service you talk about: Each service can be managed with the same principles - and ITIL (and ISO 20000) is a good point to start if you focus on the principles for managing services. You can define, implement, run, optimize any type of service. Whether you look on high level business services or on low level application services, the way you should handle services is, from a conceptual view, the same. The business aspects like service accounting and controlling can be applied as well on every level.

Given that, a unified view on services and their management would bring a lot of benefits to IT - the reuse of management software, improvements in that software when the experiences of infrastructure and software change management are combined and influence the tools, the capability for an overall auditing and accounting of services, a consistent authorization management for services, their management and their use.

But that would mean that the siloes at the vendor side (where software management is in most cases another division than infrastructure management) disappear as well as the siloes in today’s IT organizations are opened for more cooperation.

In a, may be, simplistic view on IT there are three important pillars on the IT infrastructure level. Using the - sometimes improper - buzzwords, these are

• Identity (and Access) Management (IAM)
• SOA - in fact more the technologies for business processes and flexible applications, e.g. including BPM (Business Process Management)
• BSM (Business Service Management), or ITSM (IT Service Management), or BTO (Business Technology Optimization), or however you will name what has been systems management and now, with a new layer on top, is something “entirely new”. I would say it claims to be something new but the layer on top is far from being mature.

You might claim that the Enterprise Systems are missing in that list. Yes, they are missing. No, they are in, because SOA or BPM are the way to use these systems in the future - have a look on the strategies of SAP with NetWeaver or Oracle with Fusion.

Read the rest of this entry »

In the past I have several times published thoughts on the ERP for IT, and IT cost management (here and here…). Today I had a very interesting discussion with Econet, a german vendor which adresses IAM more from the process perspective and the ITSM (IT Service Management) area. During this discussion we came across the need for IT cost management and accounting - and to an interesting conclusion:

• There is one group which isn’t really interested in the real IT costs: The customer of IT. The customer is interested in a fair, reliable, stable assignment of IT costs he can budget. But he isn’t interested in exact, always changing numbers.
• There is another group which should be interested but in most cases isn’t: The IT management itself. They need to know the exact costs, assigned to services and the consumers of the services for planning, for the mentioned fair assignment, for improvement for IT. But most of the CIOs don’t really work on implementing a granular, service- and identity-based IT cost management, neither they have it in place.

 The obvious question is: Why don’t they act? The main reasons are

1. complexity of the topic
2. lack of tools
3. lack of economical knowledge in IT management - most IT managers aren’t business but IT people and not all really understand controlling, accounting, and so on

But it inevitable to work on a service- and identity-based, granular IT accounting and cost management and a controlling because it is the basis for IT as a real business unit.

Today’s problem is that the ones who need exact IT costs are often not ready for it. And the ones who were ready don’t want to have exact but stable, fair cost assignments. But I’m sure that this will change within the next time.

One of the IT market segments I’m observing for a quite long time ist the System lifecycle management market, including software distribution, OS installation, inventory, patch management and some other technologies. There are few segments which are that crowded. If I count the vendors/brands which compete in the central European region I end up with something aroung 20 at least. Given this number of competitors it is obvious that not all of them will survive. There will be the big ones to survive - and there will be the smart ones.

Read the rest of this entry »

The topic I discuss probably most often as well with vendors and system integrators as with end users is how to sell IAM. The problem behind this is that IAM is mainly seen as an infrastructure element (which IAM is). The potential business value is often quite unclear, as well as many people just don’t know that they need IAM even because they are using different terms. The CRM don’t see their system in the context of IAM even while it’s the biggest identity store in most companies – just an example.

One thing I’m intensively working on is a business-related argumentation which starts with the business problem and ends with IAM – and not the other way round, like it is done in most cases. The other aspect which came into my mind is to sharpen the relationship between IAM and the CIO’s agenda. The first step in this is to have a look on the CIO agenda – what shall be on that agenda (which are not necessarily the same issues that are on the agenda today).

Read the rest of this entry »

This afternoon I had an analyst briefing with one of the vendors which offspring the market segment formerly known as system management which is usually defined today as client or system lifecycle management. This change has been definitely necessary because system management covered a very broad range of different technologies.

But the system lifecycle management segment, which exists for a while, is as well pretty heterogeneous. There are vendors which still mainly support software distribution, OS installation, patch management, and some other administrative functionalities. There are vendors which are moving towards the security market, like LANdesk with their NAC products or Symantec. Many vendors are adding license management capabilities and move towards the ITSM (IT Service management market) or at least to some part of this market - Enteo/Frontrange as one example -  whereas others set their focus on compliance and related topics. The borderlines aren’t always clear. There are many vendors which claim to support license compliance. But there are few which really cover all the details of licenses and which integrate their license compliance tools as well with asset management and automated inventory services as with contract management. In this area you’ll find Managesoft as well as Brainware.

But even for these vendors, there’s the question about how long the niche will exist. The approach of ManageSoft is pretty interesting. They are providing a strong technical integration with the inventory and asset management as well as a dashboard for the business user and IT management. Thus, they might move towards more controls they support in this “compliance dashboard”, they might add risk management functionality or they might do both.

But ManageSoft, like every other vendor who has successfully done the step beyond the administration-focused system lifecycle management, will always have to find new niches fast - because other companies will enter interesting market segments and because the big BSM players always will try to position their solution as the “swiss army knife” you can use for everything.

My observations of the vendors in the system management space over the last years are, that there are some vendors which are able to reinvent themselves. There are vendors who try to grow through acquisitions - not always successful. There are the big ones which sometimes struggle when it comes to the details and still need support of smaller specialists who are able to fulfil the customer’s demand in the context of an enterprise framework. And there are many companies which are neither able to reinvent themselves (at least not fast and innovative enough) nor to grow through acquisitions. In a market segment like system lifecycle management with more than 20 active competitors in Europe - not counted the ones in other areas - the ability to move forward is one of the most important aspects for product decisions. It is because the ones who aren’t innovative are the ones who will in the best case become acquisition targets and in the worst case just will disappear.

Thus, it isn’t done with re-positioning in a newly “invented” market segment which is just a new name for something existing. It is about re-inventing the market segment.

Have you ever thought about assigning the IT costs in a correct manner? Services and IAM will help you. Services are a means for a more granular view on what IT provides. That is true as well for the IT infrastructure services which are, for example, covered in ITIL. It is true as well for the services used in SOA concepts. But services aren’t sufficient. The assignment of IT costs requires the knowledge about the user. Who is using which services in which frequency? This question has to be answered as well. That means, that you have to know in the context of which user a service runs or - more abstract, for infrastructure services - is used.

Thus, bringing IAM and BSM together and combining IAM with SOA is the foundation on which a more efficient IT cost management could be build. And it is, as well, the foundation for the thing I would call ERP for IT.

A side effect of application security infrastructures

When writing my upcoming report on the architecture of application security infrastructures I thought also about potential business values of this type of service layer which sits between applications and the security infrastructure (in fact the term “application security infrastructure” is somewhat misleading because its more about a service layer which sits on top of the infrastructure - and the service layer is core, not the infrastructure). When thinking about the business values it became clear to me that there is a clear link to what I have written in “The ERP for IT” about the chance to use service orientation for making IT sort of a business unit.

Application Security Infrastructures can support IT to become more business-oriented and more economic. How? Very easy: These infrastructures expose defined services (security services, mainly identity services) to applications and network infrastructure components (for example “identity storage services” as interface to directories). The usage of these services can be measured. The costs of the underlying infrastructure can be measured as well and is related to specific services. So, in effect, you have the cost per use per service.

With that information you can for example predict the costs of new applications much more precise than before. You can assign the costs of the infrastructure much more precise than before to the consumers of the services. You can offer more efficient services for lower costs. And so on… IT can act like a business unit or, more familiar, like an “internal outsourcer”.

That is, from my point of view, one of the biggest advantages amongst the pretty long list of business values an application security infrastructure can deliver. For sure that isn’t unique to application security infrastructures, but applies to any move towards service orientation.

The acquisition of MaxWare by SAP finally has led to a new competitive situation in IAM. I define four segments or clusters of vendors in the market:

• The ones with focus on the business process
• The ones with focus on business service management
• The pure (or mainly) IAM vendors (and the ones which have a broader IAM portfolio but not integrated that into a higher level vision)
• The specialists 

To start with the first segment - these are the vendors who compete for becoming the leading supplier of the infrastructure for business processes. To do this, they need IAM to provide identity services into the new SOA-based business processes. The main vendors in this cluster are Oracle, and SAP (in alphabetical order…). Both of them are working on identity services, both two as well are working intensively on or providing solutions for GRC (Governance, Risk, Compliance). You might add Microsoft to this segment because their main target is a vital role in the business process battle.

The second segment are the vendors with an infrastructure management history who today provide solutions for Business Service Management (or Business Technology Optimization or however you name it). The most important ones in this segment are BMC, CA, and HP. Yes, for sure - HP also has some service focus but the big story is about BTO, in their case. IAM is, from the perspective of these vendors, mandatory as a central part of the IT infrastructure to be managed. You might, by the way, add Völcker Informatik to that segment. They are no full BSM vendor but their philosophy is driven by many of the same ideas.

Then there are the IAM suite vendors like Evidian, Novell, or Siemens - and many others like Beta Systems, Courion or M-Tech. For some vendor you might discuss whether he is part of this cluster or a specialist but that will become more clear with my definition of that segment later. These vendors are providing sort of “standalone IAM”, with more or less completeness of their portfolio.

The specialists are vendors which focus on specific aspects of the broader IAM landscape. These include companies like SECUDE, Sxip, Ping Identity, Sailpoint, Titus Labs, G+D, or Bhold, to name just a few.

If you look for the big names in the list there are some missing, notably IBM and Sun. They are the typical “somewhere-in-between-vendors”. I’d put IBM in the BSM cluster, Sun in the “pure IAM vendor” box as the best fit. But as mentioned above you could also discuss about the positioning of HP, Voelcker and other vendors.

The more interesting question is about who will be the winners in this new formed competition - and the loosers. The most difficult situation, from my point of view, is the one of the “pure play IAM vendors”. Specialists might always find there place in the market or become acquired. But the IAM vendors who haven’t been acquired until now will have to rethink their positioning. Might they add something to enter another segment? Evidian might, being a vendor in the systems management space at well. Besides they are a specialist in E-SSO and they have a new focus on mid-sized businesses. Siemens has large customers and its eHealth specialization, plus some Telco background. So there are opportunities for further success for virtually any vendor in the market. But some might have to really think about their strategy to achieve a positioning which makes them competitive even three or five years from now.

During an analyst briefing I had some days ago with a leading vendor in the BSM space around the role Identity Management plays for BSM (which is quite important, given the fact that all leading BSM vendors are IAM vendors and that IAM plays a significant role within ITILv3) we came to the conclusion that there is no ERP for IT. There are specific ERP solutions for Finance, Customer Relationship Management, Product Lifecycle Management, and so on. But there is nothing for IT. That automatically led to the question whether BSM might fill this gap.

The discussion also was sort of a reminder to another talk I had some months ago with the CIO of one of the German DAX companies. His vision is about an IT with clear knowledge on its costs thus being able to predict the TCO (and not only development costs or an initial investment into infrastructure) of new “Business Services” IT delivers. These services might be applications or infrastructure services. He’d like to be able to predict the cost per user, the cost per use of a specific service or whatever you want. This ability would be the basis for a factual discussion about IT services and a granular accounting and might even lead to an IT department which is sort of a business centre (like an Outsourcer) and not only a cost centre.

Both discussions are around the way IT acts, about the role of Business Service Management and, in fact, about ERP for IT. The BSM approach which is required for that type of solution will go well beyond todays infrastructure focus. BSM itself is much broader than the IT infrastructure service focus of ITIL. But for that approach it will have to include much more functionality around application and service (in the sense of web services) management, something which isn’t covered that much by most BSM vendors today.

I personally believe that sort of an ERP for IT will be very interesting, proofing the fact that IT is today an important enabler for business and not just a technology department which burns money. The question is whether it will really be some of the large BSM vendors who deliver that new type of application or whether the ERP vendors will be the ones. I’ll wait and see.

You might ask yourself what this has to do with IAM (Identity and Access Management), my core topic. Well, first of all IAM is not my only topic. BSM is one which becomes more and more important for KCP due to the relationship to IAM - and one I’m doing research for quite a long time now. Besides this, there is another ERP for IT thing I’m currently thinking about. May be I’d better call it EIP for “Enterprise Information Planning” but it’s about enterprise control of information, the next real big step in IAM. I’ll cover this in one of my next blogs.