At EIC 2008 I’ve presented our view on the relationship of GRC and IAM as well as our definition of the GRC market, the core results of our GRC market report 2008. Basically, the generic GRC tools we see emerging in the market are becoming more and more the business layer above the classical core IAM tools, e.g. provisioning, self service and some other feature areas.

I’ve been talking with a lot of users within the last few weeks. And what I’ve learned has proven that statement. The most important driver for IAM projects today is the need for defined, auditable processes around user and authorization lifecycle management. And that is about Governance, Risk Management, and Compliance.

To fulfill these requirements, you need a strong IAM foundation. But without a level above for a business-controlled authorization management, for layered attestation from the system up to the business level, for the management of business roles and for a business-centric auditing that won’t fulfill the needs.

Given this it is no surprise that several vendors either integrate more and more of these features in their IAM products, some of them on a high level (Völcker), while others have acquired specialized vendors in both areas (Oracle, SAP, Sun).

Today it is not necessary to buy the IAM and the GRC products from the same vendor, especially because the GRC solutions are in their early stage. And due to the fact that IAM tools always will focus more on the IT level whilst GRC focuses on the business level I’m not sure whether they shall be really integrated. But one thing is sure: You will need both levels of tools to fully support the business requirements which are driving IAM today.

Some time ago, as a result of some of the fundamental reorganizations Siemens had to do within the last two years ago, the department responsible for the DirX solutions has been moved into the healthcare unit of Siemens. That was a somewhat unusual place for an identity management product unit. Now, Siemens is reorganizing again. Besides three core areas (Industry, Healthcare, Energy) there will be several cross-sector activities. One of these is Siemens IT Solutions and Services.

Within the Siemens IT Solutions and Services (SIS) there will be a unit “Identity Management and Biometrics” in which Siemens bundles its DirX and Biometrics activities.SIS will offer complete solutions including Smartcards, PKIs and security consulting around the products of this unit. Besides this the unit will work with VARs and plans to enlarge its set of partners beyond Siemens Enterprise Communications and some few other partners they currently have. There are also plans to extend the IAM portfolio through partnerships.

Even while we have to wait how well the new structure works, how successful SIS is in selling IAM projects up to a complete outsourcing and how the partner landscape around DirX will change – Siemens is now in an obviously much better position again. The new organizational structure is by far more logical than the placement in the healthcare department has ever been. We will observe how the new structure works in reality. But Siemens should be considered as a strong vendor again, even if you might haven’t done this for some time.

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that Salesforce.com has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term "cloud" been chosen because everything out there is a bit "cloudy" in the sense of "fuzzy"?].

Read the rest of this entry »

For some time I planned to write a report on the segmentation of the role management market. There are many different offerings for role management which all use the same buzzwords but provide pretty different solutions. But I decided not to write this report - just because there is no role management market. It might appear that such a market segment exists. But in fact it is just a part of a larger market segment, the GRC (Governance, Risk Management, Compliance) market.

The GRC market, on the other hand, appears today as a very fragmented market, with a broad range of solutions and tools. Without telling on everything my upcoming report on the structuring of the GRC market will include, there are at least two levels of distinction between the offerings in the market. The first is around the general level, where you find methodologies, pre-defined solutions (for example rule sets for specific applications and compliance regulations which can’t be applied easily to other threats) and tools.

Within the tools, there appear, amongst others, the vendors of role management solutions. I personally define five core functionalities for GRC tools:

• Analysis of entitlements and Reporting
• Attestation - should, by the way, be multi-layered
• Authorization Management, including SoDs (Segregation of Duties) and, in general a policy/rule definition and enforcement for entitlements 
• Risk Management, including Risk Modeling and Analytics
• Role Management

Within these functionalities, the management of roles is the centre, because the other features rely on this. Workflow features - best solved with the choice between internal and external workflows - are mandatory.

Currently there is no vendor who provides the entire big picture on a high level. But it is obvious that many vendors are working on this picture and are delivering more and more parts of the puzzle.

By the way - based on these tools there probably will be a solution market again which provides pre-defined implementations for specific industries or regulations.

This view gives as well an answer to the question whether GRC shall be limited to IAM. No, it is a broader market. IAM delivers to GRC solutions. But GRC is sort of a bracket across the entire IT infrastructure, building a bridge between IT and business. Thus GRC is going well beyond IAM, even while many of today’s IAM solutions can (help to) solve GRC threats and even while there won’t be a successful enterprise GRC implementation without a strong IAM foundation.

In our briefings with US vendors which aren’t that visible in Europe they often claim that they will start to develop the European market soon. Some one or two years later they are still almost invisible in Europe. There are some obviuos reasons why so many US companies fail to succeed in Europe. They can be split in two categories:

• The products
• The market development

Regarding the products, it is important to understand that there are other expectations in many European countries than in the US market. Germans tend to look for the perfect solution, very sophisticated and really fulfilling all their needs, while the Americans seem to accept more point solutions which help to solve an existing problem at least at the 80:20 level.

That doesn’t necessarily mean that you need other products for Europe. But US vendors shouldn’t raise expectations to high but be realistic and focus on the business values and quick wins there customers can really achieve. Even while this works in many situations there are market segments with very specific European approaches. Role management, for example, tends to be implemented in Europe with a much stronger methodological approach than in the US - and that is reflected in the products.

Read the rest of this entry »

While M-Tech has a long customer list in northern America there are only a few customers here in Europe - even while M-Tech offers a comprehensive IAM suite. But M-Tech plans to address the European market more actively than before. They might have success if they do it the right way, with building a real presence in different European countries and not constricting their European activities to a one-man-office based in UK, which is the often observed approach of many US companies.

Besides a reasoned approach and some tenacity in addressing the European market(s) the second success factor is the product. M-Tech has improved its product portfolio significantly over the last years. As of now they have a competitive offering in the provisioning space, but as well some interesting add-ons in other areas.

In their early years the product portfolio consisted mainly of ID-Synch and P-Synch for provisioning and password synchronization. Today there are several other components which are offered separately as well as in the form of the M-Tech IDM Suite. There are some features which aren’t mainstream and might be the differentiators to other vendors in the IAM market. ID-Discover as tool for discovering existing accounts with a reconciliation component, P-Synch with its somewhat unique approach to E-SSO or ID-Org as a strong component for mapping organizational structures are just some examples. M-Tech also has some very Active Directory-specific components like ID-Access for Active Directory Group Management.

With their features, their strongly integrated products and the specific Active Directory support I personally rate M-Tech as a vendor for the mid-sized businesses, which are at least in the IAM market (and from my swabian perspective where mid-sized companies are rather big) companies in the 2.000-10.000 employee range. In this market segment IAM adoption is still low but the pressure to implement IAM is increasing. With their integrated approach M-Tech might become an interesting player over here in Europe, given that they are actively enough developing the market and trying to build a strong basis of system integration partners.

Today, provisioning is the core element of Identity Management. Most of the products which are usually named “Identity Manager” are built around provisioning, with more or less additional features. But will that be still the case some three years from now? There are several trends which will influence provisioning significantly. The most important ones are

• Reuse of existing IT infrastructure components
• Business Role Management
• Enterprise Information Management

These trends will influence the market. One important area is the reuse of existing IT infrastructure components. There are clear advantages of using a standard workflow and business process management instead of proprietary implementations in provisioning products. For example processes can be better managed, integrated with existing supply chains and easily transferred to other systems.

Read the rest of this entry »

HP choose to not sell it’s Identity Management products any more. A surprise, for sure - at least at first look. On the other hand: HP had in 2006 revenues of 91,6 billion US$ - but only 1,3 bill US$ in software revenue. And that was a major increase, compared to 2005. With other words: HP is even today anything but a software company. Unlike Microsoft, CA, Oracle, it is first of all a box shipper, a hardware company. Even Services had only 17% of revenue in 2006 - compare it to IBM, and it is obvious that anything besides computers, printers, cameras is a pretty small part of their business.

Nevertheless I believe that the decision of HP is short-sighted. Identity Management is a growing business (By the way: Not being successful in significantly increasing markets is also a art of itself…). And Identity Management is relevant to HPs Security Service Business as well as to their BTO strategy. Besides this, HP has had some pretty interesting technical features especially around Federation. And they have some good guys in their Identity Business, to name Archie Reed and Jason Rouault.

Read the rest of this entry »

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality - and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

1. The increasing complexity: Thus it really make sense to create more and more complex products?
2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed - and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.

Some days ago I received a press release which stated that in UK the cost of social networks is around 6,5 GBP – at least a recent study claims it to be that high. Such numbers are always questionable, for sure. Which are the real costs of someone maintaining his own social network? Difficult to calculate… But: Even 1 billion would be too much.

There is some value in social networks, especially in business networks. But it is obvious that it takes a lot of time to maintain contacts, find people you know and especially to do this multiple times for different networks. I personally have chosen to limit myself to three networks: Xing, LinkedIn, and StayFriends. And I really hate it to do the same work in Xing and LinkedIn.  I could easily split half my own “costs” for maintaining social networks if I easily could exchange information between these networks. User-centric IAM approaches applied to social networks thus might cut the costs significantly. One more reason to doubt the future of today’s social networks.