Recent gossip has it that HP and BMC are leaving the Identity Management arena. Interesting. It doesn't look like there is a business decline in the Identity Management segment. Rather it looks like a slow continual growth (disturbed only the the Identity Superheros that claim to solve all the problems). Then why are these two companies pulling back?
I can only speculate here. And my speculation is that the reasons may be related to the hidden complexity of Identity Management deployments. It is trivial to Identity Management software and do some basic configuration. But that's only the beginning of the real Enterprise Identity Management project. The real fun follows after that: using organizational structure, aligning the processes, building up roles, ...
The Identity Management project is a multi-year venture. It is not only the deployment of software. It is rather an architectural change. A paradigm shift. Whatever you slice the project to fit into a year's budget, you cannot change the very nature of it.
That may be the reason why usual quick-turnaround sell-install-invoice integration-wannabe project approaches fail. The IdM project executed in the proper way is not really a high-profit business opportunity for software vendors. Unless they sell expensive professional services along with the solution, which usually makes the cost unjustifiable and the results inconclusive. The reason is in motivation. Vendor's motivation is to sell the product, not to solve customer's problem. My opinion is that vendors by themselves cannot solve practical problems of Identity Management.
My solution? Find a proper partner for the project. Either a big consultation company or a small specialized company (Note: I have vested interest in this option). The big company may already know a lot about your system and can approach the problem from several angles. Therefore it can solve a lot of related problems, both technical and business. They have the manpower. But the cost is invariably high (or the solution invariably poor). Small specialized company will focus on a small set of problems, usually providing good results in a specific area. But the scope of the small company's solution is always limited.
... I wonder what will be the approach of IBM, Oracle, Sun and other IdM vendors. Will they make the same mistake?
Responses (1)
Your post highlights an intriguing problem, and I would like to contribute to the discussion. I agree with you, in particular with your feeling that in a large Enterprise Identity Management project too often organizations spend money for the products, and much more money to make the products work. And than they have to face ongoing maintenance challenges; day-by-day operability, exception handling, risk mitigation, etc… IM best practices are not enough: I think there is the need of the right tools and handling ability. And the central point, as for any large Software project, is the definition of a supportive representation data model. Just a clarification: it’s obvious that any large organization already have a set of procedures disciplining Identity based processes (e.g. the user account lock/unlock processes). These processes must be managed by the IM system but if these requirements, are not directly supported by the tool’s data model, a custom development consisting of "data model” definition and implementation would be required. The data model inside the Identity Management Software shall support data, relations between them and other already available data as well as a simple framework to implement policies. In conclusion: o When the product data model itself already supports these processes, mapping of the said processes is reduced to pure and simple configuration in no time. Maintenance and changes are made by high level administrators. o In case native support is not available, the following should be expected: detailed technical specification definition, Data Model updating, policy writing (usually at low level) and tests, changes, complex management, etc…. Such a solution eliminates, or at least drastically reduces the need to build and maintain custom integration and provides the following benefits for the proper partner you mentioned: o Reduce project risks and challenging time constrains by minimizing system integration effort. o Move the focus towards business issues o Increase high level services, minimizing the effort in directly coding policy in the IAM products (e.g. coding policies directly in the connectors). An if you want to be an Identity Superheros, you can have more global vision, achieving good governance, risk management and regulatory compliance (GRC). BTW unfortunately most IM solutions on the market are managing this information just using hierarchical LDAP!!!