It has been quiet around Sun Microsystems at least in the IAM space for some time. Being one of the companies pushing the market some four years ago, especially with their Waveset acquisition, there hasn’t been that much news for some time. For sure there were still a lot of improvements in the product. But other vendors like Oracle and SAP have had much more attention - especially due to their acquisitions. And some interesting things Sun has done like their early entry into the audit space or their virtual directory technology never obtained much attention, for different reasons.

The audit capabilities, for some time now part of the Sun Identity Manager, probably came a little bit to early. The virtual directory technology, on the other hand, is part of the Sun Directory Server and thus not a real competitive product to the standalone solutions in the market. From my perspective, Sun should decouple these products.

But back to the silence around Sun - it ended yesterday. Or, to be honest, it ended some days ago when the rumors around the planned acquisition of Vaau became more frequent. Yesterday the official information about that deal was released. Sun invests in the IAM space - and aquiring in the role management space for sure is a good thing today in these days because role management is one of the most important areas of the IAM space. Sun increases its competitive positioning with Vaau. That’s a good signal - for Sun as well as for the market, because more competition is always positive for the customers.

For sure we will have to observe the integration of Vaau technology into the Sun IAM portfolio. But with its audit capabilities, with Vaau and with being amongst the first vendors to support the new web service interfaces of SAP GRC Access control, Sun is definitely back and working on its positioning in the IAM space. So they are not only one of the early innovators, but they appear to be back in track for a leading position in the market also for the next years.

The ones who are reading our newsletter or the articles at our website for some time know that IAM for the midsize market, e.g. the not that big corporations, is one of my favourite topics. Today I had an interesting discussion with a vendor who raised the question which vendor will dominate that market. There are four options:

• SAP
• Microsoft
• IBM
• The rest

SAP is a favourite for customers which are still using SAP as their strategic ERP platform. Microsoft enters the customers via the Active Directory. IBM is still there, at least at most of the midsize companies. Thus, everyone else has to prove that he fulfills the needs of midsize companies better than the other ones. Some vendors, mainly with regional focus (e.g. only US or D-A-CH or somewhere else) are delivering specific solutions for this market. That goes beyond licensing and means to support pre-defined processes, optimized connectors, best practices and so on.

I personally believe that it won’t be only the three I have named explicitly. Every vendor who is able to deliver a real midsize offering will have a good chance to win customers - just because there are so many corporations which require an IAM solution…

Our upcoming Identity Management market report 2007/2008 shows some interesting results. Not to surprising, at least most of them, but nevertheless pretty interesting. One important information is where the money will be spent next year. For sure there is Identity Provisioning. And, as expected, Role Management is a very important area. Besides these both areas there is Single Sign-On as the third topic on which a lot of money will be spent within the next 12 months. More than 30% of the survey participants will implement SSO, will enhance their implementations significantly or will replace the technology which they use today. Another roundabout 30% will optimize their existing implementations. Less than 30% of the companies won’t spend money on SSO.

The question behind is for the reason why. There are some aspects. SSO helps the users. It eases their lifes with less user names and passwords. SSO makes the user the admin’s friend. Another aspect is compliance. SSO might help in achieving some of the targets of compliance, at least in (the strongly recommended) combination with strong authentication.

It is easier to audit who is allowed to access which applications, who actively uses accounts in which system and who has accessed which system when. Upcoming trends like the integration with events from phyiscal access systems, thus doing the step towards context-based authentication and authorization, enhance the support for compliance requirements.

From my perspective, these two aspects - user friendliness and compliance support - are the most important driving factors for the success of SSO. Besides, SSO is pretty mature, at least the Enterprise SSO solutions which are most common today. But also token-based approaches like the use of Smartcards with certificates and other credentials stored on the tokens shows an increasing maturity, lower costs and a broader availabilty of devices.

Thus, if you haven’t solved your SSO issues until know, start thinking about. But when you think about, don’t remain with an internal solution like Enterprise SSO but think about the future. SSO for your customers through support of OpenID, CardSpace and other technologies shall as well be part of your SSO strategy (look at some of our downloads…) as the role identity federation will play in the next years.

Sometimes the real important news are hidden pretty well. I’ve experienced this once again at SAP TechEd in Munich. Despite several analyst briefings before and during the event I decided to attend a presentation on the status and future of SAP NetWeaver Identity Management. At the very end of the presentation there came a slide about the relationship of CUA and SAP NetWeaver Identity Management which said that CUA will be replaced by SAP NetWeaver Identity Management on the long term.

That is really important news. CUA is the Central User Administration in the SAP environments, allowing to centrally manage users for several instances of SAP system with ABAP based local user management – which means in fact most of the core business systems in the SAP environment. For sure SAP will support a coexistence of CUA and SAP NetWeaver Identity Management. But the strategic solution is SAP NetWeaver Identity Management.

Due to the fact that an ABAP only focus isn’t sufficient for the user management in SAP environments, that is important (and positive) news for existing CUA users as well. And there are many options to use CUA together with SAP NetWeaver Identity Management in the future. But it is an aspect which influences as well decisions on CUA implementations as the overall Identity Management strategy – and the Identity Management market in general.

This new role of SAP NetWeaver Identity Management will in fact lead to a situation where the product will be used in a very high percentage of all SAP implementations at least for provisioning to the local user managements of the different SAP systems.  For sure a customer could also decide to use another’s vendor product for what he is doing today with CUA and with another provisioning solution. And there will be many customers who will use SAP NetWeaver Identity Management as a CUA replacement together with another product.

But overall the CUA replacement is one of the strongest arguments SAP has for its NetWeaver Identity Management, besides the important role the product will play for the future evolvement of the NetWeaver platform. And the positioning as CUA replacement has to have impact on the IAM strategies of all SAP customers. They should analyze the pros and cons of all options, from “pure SAP” to “non SAP”. That’s not only about CUA and the provisioning, but will be influenced as well from the plans SAP has for IAM in the NetWeaver- and overall SAP-scope. I’ll talk about these plans more in the next weeks as well as in an upcoming report on SAP’s IAM strategy.

Oracle today announced that they’d like to acquire BEA and have placed a bid for BEA. The BEA management on the other hand seems to not be willing to become a part of Oracle. To me, it’s somewhat surprising that Oracle looks on BEA. Oracle has its own middleware product and, from a technical perspective, I don’t see the urgent requirement to buy BEA. BEA, for sure, is one of the leading vendors in the market space but I don’t expect them to add that much value at least from a technical perspective to Oracle that it would be worth to pay the pretty high price.

So there is mainly one reason for this bid: Market share. If you combine the market shares of both companies the result will probably be the market leader, in front of SAP and IBM as closest competitors. With respect to the ongoing “battle” between Oracle and SAP its reasonable from an Oracle perspective to invest in marketshare especially in the core segment of competition, the middleware or application infrastructure market - however you name this market segment.

Beyond this, the Oracle bid for BEA points to another thing I have in mind for a long time: BEA is the only large vendor in this segment which is focused mainly on middleware. I doubted that this is sufficient. From my perspective, BEA and BMC would be an interesting fit - much more interesting than Oracle and BEA, because that’s really mainly about market share. Combining BEA and BMC would led to a strong vendor which competes against IBM and others, with a broad offering covering the infrastructure as well as the applications and thus delivering the basis for sort of an ERP for IT. But if I look back to the PeopleSoft acquisition, I doubt that anyone else will acquire then Oracle.

So we can expect Oracle to set the next milestone in the mentioned “battle” against SAP through expanding its market share in the middleware market - and sit back and wait for a response from SAP.

Oracle remains true to its strategic approach of growth trough acquisitions. The next company to become part of Oracle is LogicalApps. LogicalApps, pretty unknown at least here in Europe, is a vendor in the GRC space - more concrete of “automated GRC controls management solutions”. GRC is an acronym for Governance, Risk Management and Compliance. The solution supports SoD enforcement, monitoring of business transactions, and evidence (e.g. audit). The vendor is focused on Oracle Applications with - as they claim - hundreds of successful deployments in these environments.

With this acquisition, briefly after announcing the acquisition of Bridgestream, Oracle proves that they are willing to compete with SAP in the GRC field. In fact the combination of Bridgestream and LogicalApps will lead to a solution which can be compared to SAP’s GRC Access Control solution which has its roots in the former Virsa products. SAP’s advantage is that they are some two years ahead of integrating and enhancing what they had acquired. On the other hand Oracle has proven its ability to integrate products they have acquired. And Oracle has another interesting component in its portfolio with the risk-based authentication/authorization provided through Bharosa, another company they recently acquired.

Both vendors, by the way, face the same challenge: They have to expand the solution scope beyond their own ERP applications. SAP is intensively working on support for Oracle Applications, PeopleSoft and other solutions. Oracle will have to enhance the LogicalApps product to a pre-defined “best practice” support of SAP environments. And both of them will have to enhance the scope of GRC beyond the core ERP solutions to all information (systems) in the enterprise. eMail, for example, is pretty relevant to GRC.

The acquisition strengthens Oracle’s competitive positioning and is, from my point of view, a major milestone towards true competition in the GRC field, because Oracle will now be the challenger number one for SAP in this area. It will be interesting to observe whether other major vendors like IBM or even Microsoft will enter this market - and with which approach they’ll do that.

The acquisition of MaxWare by SAP finally has led to a new competitive situation in IAM. I define four segments or clusters of vendors in the market:

• The ones with focus on the business process
• The ones with focus on business service management
• The pure (or mainly) IAM vendors (and the ones which have a broader IAM portfolio but not integrated that into a higher level vision)
• The specialists 

To start with the first segment - these are the vendors who compete for becoming the leading supplier of the infrastructure for business processes. To do this, they need IAM to provide identity services into the new SOA-based business processes. The main vendors in this cluster are Oracle, and SAP (in alphabetical order…). Both of them are working on identity services, both two as well are working intensively on or providing solutions for GRC (Governance, Risk, Compliance). You might add Microsoft to this segment because their main target is a vital role in the business process battle.

The second segment are the vendors with an infrastructure management history who today provide solutions for Business Service Management (or Business Technology Optimization or however you name it). The most important ones in this segment are BMC, CA, and HP. Yes, for sure - HP also has some service focus but the big story is about BTO, in their case. IAM is, from the perspective of these vendors, mandatory as a central part of the IT infrastructure to be managed. You might, by the way, add Völcker Informatik to that segment. They are no full BSM vendor but their philosophy is driven by many of the same ideas.

Then there are the IAM suite vendors like Evidian, Novell, or Siemens - and many others like Beta Systems, Courion or M-Tech. For some vendor you might discuss whether he is part of this cluster or a specialist but that will become more clear with my definition of that segment later. These vendors are providing sort of “standalone IAM”, with more or less completeness of their portfolio.

The specialists are vendors which focus on specific aspects of the broader IAM landscape. These include companies like SECUDE, Sxip, Ping Identity, Sailpoint, Titus Labs, G+D, or Bhold, to name just a few.

If you look for the big names in the list there are some missing, notably IBM and Sun. They are the typical “somewhere-in-between-vendors”. I’d put IBM in the BSM cluster, Sun in the “pure IAM vendor” box as the best fit. But as mentioned above you could also discuss about the positioning of HP, Voelcker and other vendors.

The more interesting question is about who will be the winners in this new formed competition - and the loosers. The most difficult situation, from my point of view, is the one of the “pure play IAM vendors”. Specialists might always find there place in the market or become acquired. But the IAM vendors who haven’t been acquired until now will have to rethink their positioning. Might they add something to enter another segment? Evidian might, being a vendor in the systems management space at well. Besides they are a specialist in E-SSO and they have a new focus on mid-sized businesses. Siemens has large customers and its eHealth specialization, plus some Telco background. So there are opportunities for further success for virtually any vendor in the market. But some might have to really think about their strategy to achieve a positioning which makes them competitive even three or five years from now.