The topic I discuss probably most often as well with vendors and system integrators as with end users is how to sell IAM. The problem behind this is that IAM is mainly seen as an infrastructure element (which IAM is). The potential business value is often quite unclear, as well as many people just don’t know that they need IAM even because they are using different terms. The CRM don’t see their system in the context of IAM even while it’s the biggest identity store in most companies – just an example.

One thing I’m intensively working on is a business-related argumentation which starts with the business problem and ends with IAM – and not the other way round, like it is done in most cases. The other aspect which came into my mind is to sharpen the relationship between IAM and the CIO’s agenda. The first step in this is to have a look on the CIO agenda – what shall be on that agenda (which are not necessarily the same issues that are on the agenda today).

Read the rest of this entry »

At a workshop I have held yesterday I had an interesting conversation about some aspects of IAM - especially the way, IAM products are developed without reuse of existing technologies. The discussion isn’t really new to me. I have discussed some of the aspects some five or six years ago with one of the leading IAM vendors. A fruitless discussion, by the way.

MDM, e.g. Master Data Management, is a concept for building and maintaining master data, for example for supplier data or material data. There is no real difference to what meta directory services are providing. The only real differentiator are the specific connectors. But the basic concepts are the same. The concept of delivering data quality is inherent to MDM, sometimes based on sophisticated pattern matching approaches. That raises the question: Why don’t we use these technologies for many of the aspects which are done today by proprietary IAM products?

EAI, e.g. Enterprise Application Integration, is an approach for using sort of bus systems to connect different systems and to exchange any type of information. Some two days ago a vendor told me that some of its customers are using EAI (or enterprise service busses) to exchange SPML for the integration of different provisioning systems. Siemens, by the way, used such a technology some time ago. The customers argued about the complexity of this approach. On the other hand such technologies are widely deployed in larger corporations, are very flexible regarding their connection to databases and the core business applications, and ensure a reliable transport. Thus, they often provide functionality which is missing for example in provisioning systems. Again this raises the “why” question.

The provisioning-specific workflows are another example, even while the vendors start to fix this and to support other, external workflow systems which often offer a broader functionality and interfaces to process management tools.

My answer to the “why”-questions is pretty easy (and in fact, it are two answers): I assume that many of the architects of today’s aren’t familiar with the concepts I’ve mentioned and other important IT concepts. And you can’t use what you don’t know. The second part of the answer is: In the first step it is much easier to build a system without integrating these sometimes pretty complex approaches. But on the long run it’s inefficient.

Besides this there are two perspectives: From the IAM only perspective using MDM or EAI as a foundation leads to more complex products. From an overall IT perspective, it leads to less complexity. Thus, it is also a question of the point-of-view. Anyway: I believe that it a least will be helpful to have a look beyond the common IAM approaches. That’s what vendors really should do these days. The example of workflows which are more and more externalized proves that there is some need to do that. By the way: Doing that might as well lead to new competition. Think about MDM or EAI specialists and some other company which focuses on connectors. There might be interesting business models for both of them to successfully compete in the IAM business.

In some of my last entries in this blog (here and here) I’ve mentioned the concept of Enterprise Information Management, something I will cover in depth in a report within the next few weeks. Enterprise Information Management will be sort of the long term evolution of today’s Identity Management and some of the tightly related topics, as well as the integration of IAM with some other technologies. I started thinking about this concept when I developed a simple chart which describes the future of IAM.

It starts with today’s IAM, which is sort of “Identity Management for Administrators”, e.g. solving mainly technical issues in synchronizing information, with support for single sign-on or with provisioning. I’ve titled the next level “Identity Management for Applications”, describing the service orientation and the integration into applications. It includes aspect like Application Security Infrastructures. Many vendors are working on a service layer or the integration of business applications with their IAM products.

Read the rest of this entry »

Dave Kearns, who will contribute as a track moderator and speaker to our European Identity Conference 2008, has introduced the term context-based authorization (and influenced my thoughts on this topic - thanks to Dave) as an approach for basing authorization on the context in which a user acts, which goes beyond the risk-based authorization in two ways: It’s not binary, e.g. either in or out. And it’s based potentially on more information about the context. I’d like to add some thoughts from my side to this and explain as well the difference between today’s risk-based authorization and tomorrows context-based authorization.

Risk-based authorization is an approach which has developed mainly in the financial industry. The idea is to observe and analyze user interactions to detect potential attacks and other dangerous situations. If there is a risk, the authorization to access a specific system or specific data within in a system is denied. There are several vendors in this space, including Oracle with their Bharosa acquisition and Arcot Systems.

The idea of context based authorization goes well beyond this, even while there is no hard borderline between vendors of risk-based authorization and the context-based authorization idea. It’s more sort of an evolutionary process. I personally expect that todays vendors in the risk-based authorization space (which sometimes have a some ability for context-based authorization as well) will expand their products towards context-based authorization. I assume that we as well will see some new specialists in the space of context-based authorization. And for sure the key players in the IAM space will enter the market for context-based authorization either with the make or the buy approach, e.g. building it by themselves or acquiring someone. Read the rest of this entry »

SAP tends to talk about its concept of business-driven Identity Management in these days and claims this to be a new approach. But honestly – neither the term nor the concept are really new (but valid). Business-driven Identity Management in SAP’s vision is role-based. Based on business roles, to clarify this, not on the technical system roles SAP supports today in its different business systems.

There is no doubt that business roles are becoming more and more important for IAM. SAP supports them today in its GRC Access Control product. SAP NetWeaver Identity Management in the current and near-term releases will use a separate role management approach. That might, from my opinion, change over time due to the fact that the integration between SAP GRC Access Control and SAP NetWeaver Identity Management is one of the major points on the SAP roadmap.

There are two things I’d like to add. First of all, what SAP delivers today in SAP NetWeaver Identity Management is a first step towards the right direction but definitely not the leading business role management approach in the IAM space. Second, business-driven IAM doesn’t end with business role management. In my vision for the evolution of IAM there is much more business control of information through the user, centered around “information objects” and the identities. I’ve talked about that in some of our webinars and will, probably by the end of November, write a report on this vision and the things I observe in the industry – and probably I will write a little about this in my blog even before publishing the report.