For some time I planned to write a report on the segmentation of the role management market. There are many different offerings for role management which all use the same buzzwords but provide pretty different solutions. But I decided not to write this report - just because there is no role management market. It might appear that such a market segment exists. But in fact it is just a part of a larger market segment, the GRC (Governance, Risk Management, Compliance) market.

The GRC market, on the other hand, appears today as a very fragmented market, with a broad range of solutions and tools. Without telling on everything my upcoming report on the structuring of the GRC market will include, there are at least two levels of distinction between the offerings in the market. The first is around the general level, where you find methodologies, pre-defined solutions (for example rule sets for specific applications and compliance regulations which can’t be applied easily to other threats) and tools.

Within the tools, there appear, amongst others, the vendors of role management solutions. I personally define five core functionalities for GRC tools:

• Analysis of entitlements and Reporting
• Attestation - should, by the way, be multi-layered
• Authorization Management, including SoDs (Segregation of Duties) and, in general a policy/rule definition and enforcement for entitlements 
• Risk Management, including Risk Modeling and Analytics
• Role Management

Within these functionalities, the management of roles is the centre, because the other features rely on this. Workflow features - best solved with the choice between internal and external workflows - are mandatory.

Currently there is no vendor who provides the entire big picture on a high level. But it is obvious that many vendors are working on this picture and are delivering more and more parts of the puzzle.

By the way - based on these tools there probably will be a solution market again which provides pre-defined implementations for specific industries or regulations.

This view gives as well an answer to the question whether GRC shall be limited to IAM. No, it is a broader market. IAM delivers to GRC solutions. But GRC is sort of a bracket across the entire IT infrastructure, building a bridge between IT and business. Thus GRC is going well beyond IAM, even while many of today’s IAM solutions can (help to) solve GRC threats and even while there won’t be a successful enterprise GRC implementation without a strong IAM foundation.

Novell has finally released its Identity Manager 3.6 with integrated role management. There are two points of view on this new feature:
In comparison to the integrated role management functionalities of other provisioning solutions.

• In comparison to the role management products out of the greater GRC market segment, including the business role specialists, GRC apps like SAP GRC Access Control or Identity Risk Management solutions.
• Both are valid approaches, like I’ve written in my other post from today. But it has to be kept in mind that you can’t solve every requirement with one solution – there are some which are best tackled with integrated role management and others which require a solution on top.

The implementation of Novell is pretty good in several areas, but there are also some missing elements. To start with the shortcomings: For example attestation isn’t really solved (by the way attestation is something which requires multiple levels), there are only a few standard reports and defining new approval workflows and making other more fundamental changes requires the not-that-easy-to-use Designer for Identity Manager. Designer for Identity Manager definitely is a great tool, but you really need to invest some time to understand the tool and its concepts.

The positive things are a flexible role model, integrated SoD rules (Segregation of Duties), a flexible concept with roles, policies and workflows which can be easily combined (given that you use the standard workflows or have managed to create new ones with the Designer), and an improved self-service interface, the user application which now is much more mature than for example in Identity Manager 3.0-days.

Thus, Novell has, with its first release, created a role management module which is good while there are better solutions in some (few) other provisioning products. But there is still a lot of work to do for Novell to become leading-edge in the provisioning quadrant. Compared to the GRC tools the dependency to a technical provisioning tool, even with the pretty easy user application, will always be a hurdle. Thus, Novell is competitive in the provisioning segment – but you still have to consider whether that is the right place for your role management (like with any other provisioning product).

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality - and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

1. The increasing complexity: Thus it really make sense to create more and more complex products?
2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed - and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.

It has been quiet around Sun Microsystems at least in the IAM space for some time. Being one of the companies pushing the market some four years ago, especially with their Waveset acquisition, there hasn’t been that much news for some time. For sure there were still a lot of improvements in the product. But other vendors like Oracle and SAP have had much more attention - especially due to their acquisitions. And some interesting things Sun has done like their early entry into the audit space or their virtual directory technology never obtained much attention, for different reasons.

The audit capabilities, for some time now part of the Sun Identity Manager, probably came a little bit to early. The virtual directory technology, on the other hand, is part of the Sun Directory Server and thus not a real competitive product to the standalone solutions in the market. From my perspective, Sun should decouple these products.

But back to the silence around Sun - it ended yesterday. Or, to be honest, it ended some days ago when the rumors around the planned acquisition of Vaau became more frequent. Yesterday the official information about that deal was released. Sun invests in the IAM space - and aquiring in the role management space for sure is a good thing today in these days because role management is one of the most important areas of the IAM space. Sun increases its competitive positioning with Vaau. That’s a good signal - for Sun as well as for the market, because more competition is always positive for the customers.

For sure we will have to observe the integration of Vaau technology into the Sun IAM portfolio. But with its audit capabilities, with Vaau and with being amongst the first vendors to support the new web service interfaces of SAP GRC Access control, Sun is definitely back and working on its positioning in the IAM space. So they are not only one of the early innovators, but they appear to be back in track for a leading position in the market also for the next years.

In some of my last entries in this blog (here and here) I’ve mentioned the concept of Enterprise Information Management, something I will cover in depth in a report within the next few weeks. Enterprise Information Management will be sort of the long term evolution of today’s Identity Management and some of the tightly related topics, as well as the integration of IAM with some other technologies. I started thinking about this concept when I developed a simple chart which describes the future of IAM.

It starts with today’s IAM, which is sort of “Identity Management for Administrators”, e.g. solving mainly technical issues in synchronizing information, with support for single sign-on or with provisioning. I’ve titled the next level “Identity Management for Applications”, describing the service orientation and the integration into applications. It includes aspect like Application Security Infrastructures. Many vendors are working on a service layer or the integration of business applications with their IAM products.

Read the rest of this entry »

SAP tends to talk about its concept of business-driven Identity Management in these days and claims this to be a new approach. But honestly – neither the term nor the concept are really new (but valid). Business-driven Identity Management in SAP’s vision is role-based. Based on business roles, to clarify this, not on the technical system roles SAP supports today in its different business systems.

There is no doubt that business roles are becoming more and more important for IAM. SAP supports them today in its GRC Access Control product. SAP NetWeaver Identity Management in the current and near-term releases will use a separate role management approach. That might, from my opinion, change over time due to the fact that the integration between SAP GRC Access Control and SAP NetWeaver Identity Management is one of the major points on the SAP roadmap.

There are two things I’d like to add. First of all, what SAP delivers today in SAP NetWeaver Identity Management is a first step towards the right direction but definitely not the leading business role management approach in the IAM space. Second, business-driven IAM doesn’t end with business role management. In my vision for the evolution of IAM there is much more business control of information through the user, centered around “information objects” and the identities. I’ve talked about that in some of our webinars and will, probably by the end of November, write a report on this vision and the things I observe in the industry – and probably I will write a little about this in my blog even before publishing the report.