English   Deutsch      

How could a future Oracle-Sun Identity Management Stack look like?

The deal will obviously be under tight scrutiny by regulators. After all, Oracle is a market leader in relational databases, and Sun has acquired MySQL, the number one open source database that is so popular that it started to chip away at some of Oracle's core markets. But those database products are actually not really competing - instead they are complementary. Assuming the merge completes as planned, this will leave the new company with a complete spectrum of databases: an embedded database (Berkeley DB), an open source database (MySQL) as well as the full-blown Oracle Enterprise RDBMS.

In the Identity and Access Management (IAM) and Governance, Risk Management, and Compliance (GRC) fields, both companies have full stacks of competing products - Oracle's stack being even a little more complete. It will be an interesting exercise - assuming that the merger is approved - for the teams from Oracle and Sun to sit together at the drawing board and plot the future product strategy. There will eventually have to be the axe for many of the products - "eventually" being the key word here. For near to medium future, it'll be integration in the style of Oracle: to carry multiple overlapping products in the portfolio at the same time, renaming the products and the installation directory, and slapping a new logo onto them. The actual evolutive "integration" will be much further down the road. When it comes to that, Oracle can learn from Sun Microsystem even while it is worth pointing out that Oracle had a clear strategy for real implementation in the IAM field from the very beginning of its acquisition tour and has made significant progress on that. However, Oracle still has a long way to go there - and integrating the complex Sun portfolio for IAM and GRC won't make things easier.

Sun has traditionally not been great at integrating products into its portfolio either - until recently, just a few years ago. We still remember innovative products such as the ones coming from Sun's acquisition of Innosoft and NetDynamics many years back, that eventually ended up on the storage shelf. But Sun has learnt from this: in recent times, Sun has done a great job acquiring WaveSet and turning its flagship Lighthouse product into Identity Manager, as well as acquiring the VAUU with its RBACx product and evolving it into Sun Role Manager.

What is interesting to note here is that those products did not go through a self-imposed paralysis but continued evolving after acquisition. That took some time after management changes, but over the course of the last two years, Sun moved forward significantly and was pretty fast for example with really integrating the Vaau products. Another big plus on Sun's side is the innovative push on the side of the OpenSSO product and the directory servers (DSEE and OpenDS).

Access Management – Oracle vs Sun

At this point, what will happen to the Identity Management portfolio of both companies is pure speculation. But it's a fun mental exercise, so let's take a stab at it, and begin with the access and entitlement products. Oracle here has not one but several fragmented products that by themselves are strong, but still poorly integrated and hence difficult for customers to deploy together: Oracle Access Manager, Adaptive Access Manager, Entitlement Manager, and Federation Manager. Sun on the other hand has OpenSSO that presents a nice integrated platform for (web) single sign-on, access management, federation and - according to Sun - entitlements are just around the corner, announced for October. A sensible thing would be to leave all products on the portfolio, and to wrap the technology into the OpenSSO platform that is gaining traction because of its open source development philosophy and dual release-cycle approach: the "Express" version with three month release cycles and the "Enterprise" edition with 12 month release cycles (and of course for those that like to live on the bleeding edge, there are always the daily builds). It might be a good approach to use the Sun product as the central element and add features from the Oracle products to that. It might also be an opportunity to still have some point solutions in the portfolio besides such a core product to support customers with more specific requirements. Overall, Oracle provides more features today (including entitlement management and risk-/context based authentication and authorization), but as mentioned these are spread across several products. Oracle's answer to that is SOS (Service Oriented Security) as a service layer. One of the features of such a service layer is that it makes it easy to change the underlying technology (the engines).

Directory – Oracle vs Sun

On the LDAP directory side, our judgment would also be in favour of Sun's products. The current flagship enterprise directory is "Directory Server Enterprise Edition" (DSEE), and in parallel Sun is developing OpenDS as the embedded LDAP directory of choice, with the view to be the underlying technology for the next generation directory server. DSEE has a very high market penetration rate in the high-scale directory market for Telcos and large service providers in addition to a very strong share of the enterprise directory market. For example, Oracle has contracted the company Persistent Systems to carry out a scalability and benchmark studies for its OID (Oracle Internet Directory) hosting two billion entries. Sun on the other hand has not just benchmark studies but actual customer use cases in the range of almost one billion entries for its DSEE product. Another important advantage is that the Sun product is said to be easier to implement. The most sensible thing to do here would be to continue all three products and eventually merge the combined feature set into OpenDS.

Virtual Directory Servers – Oracle vs Sun

When it comes to virtual directory servers, Oracle still has an edge over Sun's virtual directory. In 2006, Oracle acquired the company OctetString and integrated its flagship virtual directory server into the Oracle stack of identity management product. This could be a good base to build on - or perhaps a future virtual directory server might be (additionally) rolled into the OpenDS code base. Sun provides only little functionality here - and having it embedded into the directory server itself is an inhibitor to successfully sell that type of technology.

E-SSO - Oracle vs Sun

Sun currently doesn't have an own E-SSO technology. This currently is a gap in their portfolio. However, Sun has announced ESSO for the OpenSSO build in October. Oracle on the other hand is an OEM of Passlogix, thus they don't possess own technology as well. The question in that area will be a make-or-buy decision.

Identity Managers - Oracle vs Sun

That is for sure one of the most interesting areas when looking at the combined portfolios. Both vendors have strong provisioning platforms which are successful in the market place. And both have some advantages and disadvantages. When comparing these platforms, we usually end up with sort of head-to-head comparison and the winner depending on the weight of specific features. Both platforms are sort of heavyweight, requiring a lot of customization in typical deployments. Oracle is a little bit better in the breadth and depth of connectors, Sun provides a better (explicit) support of roles. And so on...

Given that we have two leading-edge products it will be very hard to decide on which to focus. It might be an idea to stay with both tools but change the directions of development, one becoming more sort of a service-based tool for more lightweight implementations, the other focusing more on the complex platform approach which is typical today. In any case, it would be a good idea to standardize the connector architecture to avoid double work on connectors. Sun has just announced the start of an open source initiative for its IDM connectors, and contributed its existing connectors to that initiative. This might be a good place to start.

Role Mgmt - Oracle vs Sun

Oracle as well as Sun support some role management capabilities in their Identity Manager products, even while Oracle doesn't formally talk about roles there. Both vendors have additional platforms acquired for business role management and additional GRC features. Oracle has bought Bridgestream, while Sun acquired Vaau some time ago. Both products have their strengths, supporting business role management, attestation and other capabilities. Again, that is sort of head-to-head comparison with no clear winner. Sun's integration of the Identity Manager and Role Manager product is pretty good. But the products are, overall, somewhat at the same level of maturity. Thus, another difficult decision.

GRC - Oracle vs Sun

In that area, beyond the companies' role management products, Oracle has clear advantages with several specific offerings in the broader GRC space, including specialized solutions for ERP systems (based on the LogicalApps acquisitions) and more. Thus, there is only little overlap.

Identity Services - Oracle vs Sun

An area where Oracle is definitely leading-edge in the IAM and GRC market is with their service approach. With SOS (Service Oriented Security) Oracle is the first vendor to publish a relatively complete set of services for identity and security. SOS is an important option for the future strategy, because Oracle just might provide one service layer with different "engines" below that. That would allow Oracle to maintain competitive products but allow as well an easy integration as migration between these products.

One thing is certain however - the current products will remain in the portfolio for a long time. The new integrated "champions" of the integrated portfolio will eventually emerge and a solid migration strategy those products will be elaborated. And even then expect the new integrated company to bow to its customers by allowing for a drawn-out lifecycle for its existing products - assuming that the merger gets the official blessing from the regulators.

Created: 22.04.09, modified: 29.04.09

top
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Register now
Spotlight
Cloud Provider Assurance
Using the cloud involves an element of trust between the consumer and the provider of a cloud service; however, it is vital to verify that this trust is well founded. Assurance is the process that provides this verification. The first step towards assuring a cloud service is to understand the business requirements for it. The needs for cost, compliance and security follow directly from these requirements. There is no absolute assurance level for a cloud service – it needs to be just as secure, compliant and cost effective as dictated by the business needs –– no more and no less.
KC Trusted Independent Advice in CLoud ASSurance
KC CLASS includes a detailed analysis of the Cloud Assurance management tasks in your company and the current status of the Cloud Services integration in your IAM, and a recommendation on how you can standardize the approach for the evaluation of Cloud Service Providers.
Links
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing

 GenericIAM
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2014 KuppingerCole