For some time I planned to write a report on the segmentation of the role management market. There are many different offerings for role management which all use the same buzzwords but provide pretty different solutions. But I decided not to write this report - just because there is no role management market. It might appear that such a market segment exists. But in fact it is just a part of a larger market segment, the GRC (Governance, Risk Management, Compliance) market.

The GRC market, on the other hand, appears today as a very fragmented market, with a broad range of solutions and tools. Without telling on everything my upcoming report on the structuring of the GRC market will include, there are at least two levels of distinction between the offerings in the market. The first is around the general level, where you find methodologies, pre-defined solutions (for example rule sets for specific applications and compliance regulations which can’t be applied easily to other threats) and tools.

Within the tools, there appear, amongst others, the vendors of role management solutions. I personally define five core functionalities for GRC tools:

• Analysis of entitlements and Reporting
• Attestation - should, by the way, be multi-layered
• Authorization Management, including SoDs (Segregation of Duties) and, in general a policy/rule definition and enforcement for entitlements 
• Risk Management, including Risk Modeling and Analytics
• Role Management

Within these functionalities, the management of roles is the centre, because the other features rely on this. Workflow features - best solved with the choice between internal and external workflows - are mandatory.

Currently there is no vendor who provides the entire big picture on a high level. But it is obvious that many vendors are working on this picture and are delivering more and more parts of the puzzle.

By the way - based on these tools there probably will be a solution market again which provides pre-defined implementations for specific industries or regulations.

This view gives as well an answer to the question whether GRC shall be limited to IAM. No, it is a broader market. IAM delivers to GRC solutions. But GRC is sort of a bracket across the entire IT infrastructure, building a bridge between IT and business. Thus GRC is going well beyond IAM, even while many of today’s IAM solutions can (help to) solve GRC threats and even while there won’t be a successful enterprise GRC implementation without a strong IAM foundation.

In our briefings with US vendors which aren’t that visible in Europe they often claim that they will start to develop the European market soon. Some one or two years later they are still almost invisible in Europe. There are some obviuos reasons why so many US companies fail to succeed in Europe. They can be split in two categories:

• The products
• The market development

Regarding the products, it is important to understand that there are other expectations in many European countries than in the US market. Germans tend to look for the perfect solution, very sophisticated and really fulfilling all their needs, while the Americans seem to accept more point solutions which help to solve an existing problem at least at the 80:20 level.

That doesn’t necessarily mean that you need other products for Europe. But US vendors shouldn’t raise expectations to high but be realistic and focus on the business values and quick wins there customers can really achieve. Even while this works in many situations there are market segments with very specific European approaches. Role management, for example, tends to be implemented in Europe with a much stronger methodological approach than in the US - and that is reflected in the products.

Read the rest of this entry »

While M-Tech has a long customer list in northern America there are only a few customers here in Europe - even while M-Tech offers a comprehensive IAM suite. But M-Tech plans to address the European market more actively than before. They might have success if they do it the right way, with building a real presence in different European countries and not constricting their European activities to a one-man-office based in UK, which is the often observed approach of many US companies.

Besides a reasoned approach and some tenacity in addressing the European market(s) the second success factor is the product. M-Tech has improved its product portfolio significantly over the last years. As of now they have a competitive offering in the provisioning space, but as well some interesting add-ons in other areas.

In their early years the product portfolio consisted mainly of ID-Synch and P-Synch for provisioning and password synchronization. Today there are several other components which are offered separately as well as in the form of the M-Tech IDM Suite. There are some features which aren’t mainstream and might be the differentiators to other vendors in the IAM market. ID-Discover as tool for discovering existing accounts with a reconciliation component, P-Synch with its somewhat unique approach to E-SSO or ID-Org as a strong component for mapping organizational structures are just some examples. M-Tech also has some very Active Directory-specific components like ID-Access for Active Directory Group Management.

With their features, their strongly integrated products and the specific Active Directory support I personally rate M-Tech as a vendor for the mid-sized businesses, which are at least in the IAM market (and from my swabian perspective where mid-sized companies are rather big) companies in the 2.000-10.000 employee range. In this market segment IAM adoption is still low but the pressure to implement IAM is increasing. With their integrated approach M-Tech might become an interesting player over here in Europe, given that they are actively enough developing the market and trying to build a strong basis of system integration partners.

Today, provisioning is the core element of Identity Management. Most of the products which are usually named “Identity Manager” are built around provisioning, with more or less additional features. But will that be still the case some three years from now? There are several trends which will influence provisioning significantly. The most important ones are

• Reuse of existing IT infrastructure components
• Business Role Management
• Enterprise Information Management

These trends will influence the market. One important area is the reuse of existing IT infrastructure components. There are clear advantages of using a standard workflow and business process management instead of proprietary implementations in provisioning products. For example processes can be better managed, integrated with existing supply chains and easily transferred to other systems.

Read the rest of this entry »

HP choose to not sell it’s Identity Management products any more. A surprise, for sure - at least at first look. On the other hand: HP had in 2006 revenues of 91,6 billion US$ - but only 1,3 bill US$ in software revenue. And that was a major increase, compared to 2005. With other words: HP is even today anything but a software company. Unlike Microsoft, CA, Oracle, it is first of all a box shipper, a hardware company. Even Services had only 17% of revenue in 2006 - compare it to IBM, and it is obvious that anything besides computers, printers, cameras is a pretty small part of their business.

Nevertheless I believe that the decision of HP is short-sighted. Identity Management is a growing business (By the way: Not being successful in significantly increasing markets is also a art of itself…). And Identity Management is relevant to HPs Security Service Business as well as to their BTO strategy. Besides this, HP has had some pretty interesting technical features especially around Federation. And they have some good guys in their Identity Business, to name Archie Reed and Jason Rouault.

Read the rest of this entry »

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality - and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

1. The increasing complexity: Thus it really make sense to create more and more complex products?
2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed - and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.

Some days ago I received a press release which stated that in UK the cost of social networks is around 6,5 GBP – at least a recent study claims it to be that high. Such numbers are always questionable, for sure. Which are the real costs of someone maintaining his own social network? Difficult to calculate… But: Even 1 billion would be too much.

There is some value in social networks, especially in business networks. But it is obvious that it takes a lot of time to maintain contacts, find people you know and especially to do this multiple times for different networks. I personally have chosen to limit myself to three networks: Xing, LinkedIn, and StayFriends. And I really hate it to do the same work in Xing and LinkedIn.  I could easily split half my own “costs” for maintaining social networks if I easily could exchange information between these networks. User-centric IAM approaches applied to social networks thus might cut the costs significantly. One more reason to doubt the future of today’s social networks.

Recently I complained about the insufficient use of existing technologies. But there are some out there who do a better job. Sailpoint is one of these vendors. They are, together with some few others like Aveksa, in the process of establishing the new market segment of “Identity Risk Management”. That is a discipline within GRC which deals specifically with risks which are in some way or another identity-related - which are most of the risks, by the way. It’s about answering questions like “who is allowed to do what”, but in detail and not only high-level. And with a high degree of automation.

And they do it by using Business Intelligence and Data Warehouse technologies.  Thus, they don’t reinvent something on a lower level but make use of existing technologies. The result is an appealing application which obviously is build on some strong kernel of technology.

Another interesting thing about Sailpoint is that there are several well-known guys from the IAM market - some of the founders and early employees of Waveset are no part of Sailpoint. That obviously means that they understand a lot about Identity Management and that they also understand what the customers need beyond provisioning.

Thus, having a look at companies like Sailpoint and Aveksa and the entire new descipline of Identity Risk Management is a must. And, no surprise: Identity Risk Management will be an important topic at our European Identity Conference 2008.

At a workshop I have held yesterday I had an interesting conversation about some aspects of IAM - especially the way, IAM products are developed without reuse of existing technologies. The discussion isn’t really new to me. I have discussed some of the aspects some five or six years ago with one of the leading IAM vendors. A fruitless discussion, by the way.

MDM, e.g. Master Data Management, is a concept for building and maintaining master data, for example for supplier data or material data. There is no real difference to what meta directory services are providing. The only real differentiator are the specific connectors. But the basic concepts are the same. The concept of delivering data quality is inherent to MDM, sometimes based on sophisticated pattern matching approaches. That raises the question: Why don’t we use these technologies for many of the aspects which are done today by proprietary IAM products?

EAI, e.g. Enterprise Application Integration, is an approach for using sort of bus systems to connect different systems and to exchange any type of information. Some two days ago a vendor told me that some of its customers are using EAI (or enterprise service busses) to exchange SPML for the integration of different provisioning systems. Siemens, by the way, used such a technology some time ago. The customers argued about the complexity of this approach. On the other hand such technologies are widely deployed in larger corporations, are very flexible regarding their connection to databases and the core business applications, and ensure a reliable transport. Thus, they often provide functionality which is missing for example in provisioning systems. Again this raises the “why” question.

The provisioning-specific workflows are another example, even while the vendors start to fix this and to support other, external workflow systems which often offer a broader functionality and interfaces to process management tools.

My answer to the “why”-questions is pretty easy (and in fact, it are two answers): I assume that many of the architects of today’s aren’t familiar with the concepts I’ve mentioned and other important IT concepts. And you can’t use what you don’t know. The second part of the answer is: In the first step it is much easier to build a system without integrating these sometimes pretty complex approaches. But on the long run it’s inefficient.

Besides this there are two perspectives: From the IAM only perspective using MDM or EAI as a foundation leads to more complex products. From an overall IT perspective, it leads to less complexity. Thus, it is also a question of the point-of-view. Anyway: I believe that it a least will be helpful to have a look beyond the common IAM approaches. That’s what vendors really should do these days. The example of workflows which are more and more externalized proves that there is some need to do that. By the way: Doing that might as well lead to new competition. Think about MDM or EAI specialists and some other company which focuses on connectors. There might be interesting business models for both of them to successfully compete in the IAM business.

It has been quiet around Sun Microsystems at least in the IAM space for some time. Being one of the companies pushing the market some four years ago, especially with their Waveset acquisition, there hasn’t been that much news for some time. For sure there were still a lot of improvements in the product. But other vendors like Oracle and SAP have had much more attention - especially due to their acquisitions. And some interesting things Sun has done like their early entry into the audit space or their virtual directory technology never obtained much attention, for different reasons.

The audit capabilities, for some time now part of the Sun Identity Manager, probably came a little bit to early. The virtual directory technology, on the other hand, is part of the Sun Directory Server and thus not a real competitive product to the standalone solutions in the market. From my perspective, Sun should decouple these products.

But back to the silence around Sun - it ended yesterday. Or, to be honest, it ended some days ago when the rumors around the planned acquisition of Vaau became more frequent. Yesterday the official information about that deal was released. Sun invests in the IAM space - and aquiring in the role management space for sure is a good thing today in these days because role management is one of the most important areas of the IAM space. Sun increases its competitive positioning with Vaau. That’s a good signal - for Sun as well as for the market, because more competition is always positive for the customers.

For sure we will have to observe the integration of Vaau technology into the Sun IAM portfolio. But with its audit capabilities, with Vaau and with being amongst the first vendors to support the new web service interfaces of SAP GRC Access control, Sun is definitely back and working on its positioning in the IAM space. So they are not only one of the early innovators, but they appear to be back in track for a leading position in the market also for the next years.