Some weeks ago Evidian, one of the European vendors in the Identity Management market, has announced that they are in the lead of an European research program for multi-domain policy management. The program called MULTIPOL is part of ITEA 2 (Information Technology for European Advancement), a set of EU-sponsored initiatives in the IT space.

The focus of MULTIPOL is mainly around multi-domain authorization, e.g. controlling access according to different security policies from different domains. The reason why: There is no internal network with a strong perimeter any more. Networks are becoming increasingly open. While authentication has been solved by approaches like Federation, the handling of policies for access control and thus authorization is still an issue.

We will observe this initiative, with Evidian as lead and ten other major European IT companies as participants. Policy Management beyond the border of one system is still amongst the things which have to be solved.

Some years ago I’ve written an article on policy management, stating that companies aren’t solving the problem but just are moving it to the next level. That was when more and more vendors told me the stories about their policy management capabilities they had built into their products. Usually they’ve built one policy management per product. So, instead of 100 products without policies there were 100 with policies. Different, incompatible ones.

The approach of Evidian is one interesting approach besides others like the idea of claims-based authentication and authorization Microsoft/Kim Cameron have published. Given that Evidian has a long experience especially around managing access, there might be some valuable outcome from this project - despite the fact that it is a EU-sponsored project.

This morning I was working on some slides for a sales training I will do for a vendor these days. When clicking through my slides I found some older slide I have used some three years ago the first time. It was about the sometimes different understanding customers and vendors might have of the same terms - or the missing understanding of terms by the customers.Terms like Meta Directory, Federation, Virtual Directory, Reconciliation, and so on.

In this context, a conversation I recently had with Hassan Maad, COO of Evidian (one of the definitely underestimated vendors in the market), some weeks ago. He said that from his experience the term “access” is much more meaningful to the customer than “identity”. He is right - everyone can imagine what we are talking about when we talk about “access”. “Identity”, on the other hand, is a more fuzzy term.

Another recent experience was about the way vendors are selling there tools. In a current strategic consulting project, I had a discussion with the customer about the evaluation of tools. The customer had had several sales presentations from different vendors. When comparing the customers rating of the vendors with our view, there were in some two cases really big differences. The reason for this: The sales people had used their common, typical terms, didn’t focus on the needs of the customer and, in one case, focused on an architectural approach which the vendor has significantly changed over the last two or three years. Looks like the sales guys once have learned some USPs (unique selling propositions) which appeared to be “unique”, but not necessarily “selling”. While the vendor adopted his product, the sales guys are still using these old Non-USPs instead of telling the new story.

There is something common within these obversations: In every case it is about hitting or missing the expectations of the customer. It is very easy to loose in using terms which the customer either doesn’t understand or misinterprets. It is as well very easy to loose pitches in telling the wrong story, either an ancient one or one that misses the expectations of the customer.

Thus, it might be a good idea for the entire industry to rethink their wording. Take “reconciliation” - not that easy to understand, especially for people whose native language isn’t English. Or “entitlement management”: I’ve never met anyone who understood that without further explanation. Not that bad for us analysts, because explaining things is part of our business.

And, if your job is about selling Identity and Access Management or GRC (Governance, Risk Management, Compliance), it is always a good idea to first think about the “customer customer” (whom are you talking with - and which are his obvious business needs?), the industry (not every industry has the same requirements), and to talk about the requirements of the customer first before talking about your solution. Listen, than talk. And talk in a language everyone can understand - or shortly explain the specific terms you can’t avoid.

Some time ago HP decided to stop the further development and sales of their IAM products, even while they will support existing customers. Since then, Novell announced an agreement with HP with a special cross-upgrade offer. And, since then, there are a lot of rumours about other partnerships in the market. What is the reason for this?

To understand this one first has to first understand the structures of HP. HP is a pretty big and diversified company. There is the consumer business, there are printers. In the enterprise IT area, we still have three different divisions:

• Software (by far the smallest division)
• Hardware
• Services (consulting, integration,…)

These divisions have different strategies. And they have different partner strategies. The agreement between Novell and HP is from the software division. The services have, also depending on the regions, sometimes another view. Thus, none of the partnership announcements of HP around IAM should be overestimated.

From my perspective, it is much more important for existing HP customers to rethink the IAM strategy. Will you use HP software - and until when? And what are your vision, your strategy, your operational requirements for IAM? Thus - which way will you go? Which software vendor fits best? Which integrators suite best for your targets? Given the fact, that IAM becomes more and more business driven, integrated into the GRC and/or BSM context, you should first redefine and update your IAM strategy and afterwards select the best vendors and partners for you. That might be Novell, Oracle, or someone else.

And you can bet on that your IAM strategy has to be updated compared to what you had in mind some years ago when deciding for the HP solution - because there has been a lot of progress in IAM since then.

The costs of software licenses are a small percentage of the overall costs of IAM projects. Thus, these costs have to be considered but aren’t the main criterion for a decision. The main criterion is that what you’re doing there fits to your IT strategy and is aligned to the business requirements.

One thing to add: HP isn’t out of IAM - at least not the services division. Again - there are several divisions at HP doing their one thing, and HP still provides and will continue to provide services for IAM, based on software of other vendors.

My colleague Felix Gaehtgens recently has blogged about his discussion with Tom Bishop, CTO at BMC, about the BMC strategy for IAM. His findings are very consistent with the blog of Tom Bishop which was published some weeks later and appears to be some indirect response to Felix.

It is obvious that many BMC customers are insecure about BMC’s strategy for IAM. There have been several changes, as well in BMC’s organization as in the way BMC is adressing this market. BMC has moved the development of the IAM functionality to India, where they are developing as well other major parts of their products. Some people from the IAM team - as well from the product as the sales/marketing side - in North America and EMEA have left BMC, including Jeff Bohren, one of the guys behind SPML. Even while BMC states that there are more people involved in IAM activities than before, there are some still some open questions left. Read the rest of this entry »

Today I’ve seen a blog entry which claimed that GRC is dead. That reminded me about the closing keynote of our European Identity Conference 2009 where I had a discussion with Paul Heiden of BHOLD Company about GRC. Paul claimed that GRC is just dealing with FUD (fear, uncertainty, doubt) and that there is no real business value in this.

So - is the market for GRC solutions (Governance, Risk Management, Compliance) dead before it really blossomed?

Yes, if GRC is limited to auditing, with focus on some dashboards and some information extraction for auditors.

No, if GRC is understood as something which goes well beyond this and isn’t limited to a narrow one-way-road. And that is how we understand the GRC market and how we have defined this market segment in our GRC Market Report 2008.

There are some real value propositions for GRC solutions, beyond “avoiding penalties” as the classical negative inhibitor:

• On the lowest level, one standardized approach to GRC issues tends to be more efficient than many point solutions.
• Much more important is the ability to not only audit but control - Enterprise Authorization Management (or Entitlement Management) is one of the key elements of GRC solutions, providing business control for the access to IT resources.
• This is, by the way, much more efficient than the granular, isolated management of access controls on lower levels. A relatively small number of business roles and rules usually covers a significant part of all access controls on lower levels in the infrastructure, down to the system level. These lower level controls can be derived, with some added exceptions.
• The probably most important aspect is that GRC done right enables a more efficient management, focused on exceptions. Defining and measuring risks provides this ability.

From our view, GRC has to be understood as an initiative which is at the core of Business-IT alignment. GRC has the potential to fulfill these (today in most cases unfulfilled) promises of building a link between business and IT.

These days I received an invitation from an IT vendors to visit an ECM (Enterprise Content Management) event. The keywords were Governance and Compliance. And the title of the keynote presentation suggested that ECM will solve every threat in these areas companies are facing today. Interestingly but not surprisingly, I have received invitations like that from other vendors – claiming to solve all these issues with other solutions in the fields of IAM (Identity and Access Management), BSM (Business Service Management), or with solutions focused on specific types of business applications like SAP or Oracle Applications.

Interestingly there are very few covering the area of SOA, another of these three letter abbreviations, which might be the fourth field of fulfilling everything a company might require in GRC- or not.

Every one of these companies is providing to GRC – but none of it will ever be able to fulfill all requirements, at least as long as it doesn’t provide offerings for BSM, ECM, IAM, and SOA, for business applications, and for the consulting on methodologies on the Business as well as the IT level. Maybe IBM might at some point of time be the one to deliver – but in the areas of integration as well as solutions specific to the leading business applications there will be gaps at least for a very long time.

With other words: Everyone is promising great things, no one is really delivering.

When you have a look on this issue from a customer perspective, it becomes obvious that there is a strong need to first define a corporate GRC strategy, derive an IT GRC strategy and then to implement it, combining solutions from different vendors for different parts of the problem. Non-strategic GRC investments have to be avoided – they are costly. If there is no overall strategy you will end up with many small, not integrated pieces instead of a GRC solution which really can support your business requirements.

By the way: To support your initiatives in the field of GRC we are now offering “GRC ratings” for vendors, clearly showing in which areas of the big picture of GRC they can deliver today, in which areas they might deliver in the future – and how mature we rate their offerings.

A short note at the end: Someone asked me about the relationship of GRC and ECM. ECM is, besides other functions, about archiving information. And there are many legal requirements for archiving business-relevant information. Thus, ECM is a part of the overall GRC theme.

Yes, I know – Information Cards (or Infocards) and their incarnation in Microsoft Windows CardSpace have been around for a while. But it was mainly the inner circle of Identity Management (and especially of user-centric Identity Management) who was really aware of this. With the recent announcement of the Information Card Foundation (ICF), Microsoft and others are trying to improve the visibility of Information Cards as a core element of Identity Management in the so called cloud.

There has been some discussion around the announcement in blogs and forums in the Internet. One of the most interesting aspects discussed is the necessity to educate the broader public about the concepts and value of Information Cards and the entire “Identity Management for the cloud” (aka user-centric Identity Management, aka Identity 2.0). That must be a main target of ICF, but as well of all the other players in this emerging market.

First of all, I’m convinced that Information Cards as well as OpenID will become central standards in the Internet and for Identity Management. Given that at least OpenID isn’t that far away from reaching the critical mass and that Microsoft Vista adoption (which makes it easier to use CardSpace) is happening pretty fast, as well as some important Open Source initiatives working on these topics, that might happen earlier than most expect today.

Nevertheless it is important to explain the concepts for everyone – and to address the privacy and security concerns many will have. There are so many things which can be done using these technologies, from Single Sign-On and Profile Management in the web up to Corporate Business Cards. But they require an accepted concept.

Thus, the idea of ICF is great, when it goes beyond technical discussions around use cases and implementations issues and really focuses on education as well. On the other hand the member list of ICF proves that there is strong interest and support in the industry for Information Cards. You can bet that no one is in there who doesn’t expect that the use of Information Cards won’t support his business – otherwise they wouldn’t invest time and money into ICF.

ICF is a great thing from my perspective. It will drive Information Cards forward – and thus the Identity Management for the cloud.

Context-based authentication and authorization is one of the topics which have the potenzial to become the next hype. I’ve posted twice on this subject, here and here and we had, led by Dave Kearns, a lot of discussions around this at our EIC 2008. I’m convinced that the topic will become even more important at next year’s EIC.

Besides the ones which are obvious players in that future market segment like the risk-based authentication vendors (Arcot, Entrust, Oracle, RSA and some others) there are some other categories of vendors which offer even today at least some context-based authentication and authorization. One of them is Citrix. Given the number of installations of the Citrix Access Gateway they might even be sort of the leader in that market.

You might argue: A SSL Gateway is not a solution for context-based authentication and authorization. Yes - and no. No because a SSL Gateway without additional components is just a SSL Gateway. Yes, if you combine a Citrix Access Gateway with other things. At an Citrix Analyst Briefing yesterday, a Swiss bank talked about their approach for controlling access of remote workers. They use the Citrix Access Gateway together with many other Citrix technologies and with a NAP (Network Access Protection) tool from EPA factory.

Read the rest of this entry »

These days I’ve read some entries in the Beteo blog, a blog provided by a swiss software and consulting company which is somewhere in between SOA and BSM - or BTO, the term they tend to use due to some affinity to HP. The interesting thing is that Beteo not only claims but proves that Service Management principles and tools which are commonly used more in the IT Infrastructure Management can be applied to the field of Software Change Management as well. Beteo, a company I’m in contact with since they’ve been founded (and I have been in contact even with their predecessor), uses this concept with success especially in SAP environments.

That leads to the obvious conclusion: There should be a much more common service understanding. There should be one BSM approach on the upper layer. BSM, as real business service management, should really address the business aspects like

• Defining services from a business point of view - like “manage a contract” including storage, access rights,…
• Mapping these business services to IT services
• Manage these services from a business perspective, e.g. accounting, controlling (do we need these services really?),…

The next layer are IT services, e.g. the more technical services IT provides to deliver a business service. These services can be managed with ITIL principles and - at least to some degree - with today’s so called BSM tools.

Whether the mapping of IT services to the IT implementations of business processes is part of the IT service layer or the business service layer is a matter of definition. I tend to place the description of business process at the business service layer and the implementation of business processes in IT - and thus, the relationship of these processes with IT services - at the IT services layer.

Anyhow, there is a layer below for the different types of IT services. Today, BSM focuses mainly on IT infrastructure services and provides mainly an ITISM (IT Infrastructure Service Management) - and not an ITSM (IT Service Management) or a real BSM (Business Service Management).

Besides the IT Infrastructure Services we have IT Application Services. These services tend to be more granular, down to web services and so on.

But regardless of the service you talk about: Each service can be managed with the same principles - and ITIL (and ISO 20000) is a good point to start if you focus on the principles for managing services. You can define, implement, run, optimize any type of service. Whether you look on high level business services or on low level application services, the way you should handle services is, from a conceptual view, the same. The business aspects like service accounting and controlling can be applied as well on every level.

Given that, a unified view on services and their management would bring a lot of benefits to IT - the reuse of management software, improvements in that software when the experiences of infrastructure and software change management are combined and influence the tools, the capability for an overall auditing and accounting of services, a consistent authorization management for services, their management and their use.

But that would mean that the siloes at the vendor side (where software management is in most cases another division than infrastructure management) disappear as well as the siloes in today’s IT organizations are opened for more cooperation.

At EIC 2008 I’ve presented our view on the relationship of GRC and IAM as well as our definition of the GRC market, the core results of our GRC market report 2008. Basically, the generic GRC tools we see emerging in the market are becoming more and more the business layer above the classical core IAM tools, e.g. provisioning, self service and some other feature areas.

I’ve been talking with a lot of users within the last few weeks. And what I’ve learned has proven that statement. The most important driver for IAM projects today is the need for defined, auditable processes around user and authorization lifecycle management. And that is about Governance, Risk Management, and Compliance.

To fulfill these requirements, you need a strong IAM foundation. But without a level above for a business-controlled authorization management, for layered attestation from the system up to the business level, for the management of business roles and for a business-centric auditing that won’t fulfill the needs.

Given this it is no surprise that several vendors either integrate more and more of these features in their IAM products, some of them on a high level (Völcker), while others have acquired specialized vendors in both areas (Oracle, SAP, Sun).

Today it is not necessary to buy the IAM and the GRC products from the same vendor, especially because the GRC solutions are in their early stage. And due to the fact that IAM tools always will focus more on the IT level whilst GRC focuses on the business level I’m not sure whether they shall be really integrated. But one thing is sure: You will need both levels of tools to fully support the business requirements which are driving IAM today.