It’s been almost 15 years since Business Layers and Oblix ushered in the new age of Identity and Access Management Systems (IAM systems) with what I called at the time the “killer app” for Directory Services – electronic provisioning. Even more incredible is that it’s almost 20 years since I wrote a workflow-based provisioning application (I even called it “employee provisioning”) based on Microsoft’s messaging application programming interface (MAPI). It actually was quite primitive in terms of 21st century provisioning tools in that it relied on automated email messages to inform people of things that needed to be done (grant access, deliver hardware, etc.) with an automated “nag” system if the task wasn’t marked as completed.

I know that my system is no longer used and I really doubt that the Business Layers’ and Oblix provisioning systems are still in use. But lots of people are still using lots of systems that no longer are offered. In the provisioning area alone I’ll wager that there are still installations from Thor, Waveset, M-Tech, Sun and more none of which are still being offered – at least not under that brand name.

And it’s not only provisioning systems that have gotten “long in the tooth” in your datacenter. Every aspect of IAM has probably moved forward at least one generation since you installed it, and many have moved quite a bit forward. Let me hasten to add that it probably isn’t your fault that this has happened, especially if you’ve followed the advice we’ve been handing out over those fifteen years since electronic provisioning first became a real possibility and the IAM revolution was launched.

Back then, and for some time after, no one vendor could supply all of your IAM needs. It’s possible to argue that that is still true, but – if it is – it’s less true today than it was, say 10 years ago. So what we, the IAM gurus, suggested was that you choose “Best of Breed” solutions and hammer them together. “Best of Breed” was an amorphous term, though, covering a great many things. In reality we meant “best for you” depending on your circumstances.

Getting all of those apps from all of those vendors to work together was a real chore – one that kept IAM consultants rolling in dough as they cobbled together scripts, apps, services and more so that you had a semblance of an IAM infrastructure.

Anyone who had gone through the experience of surveying the market, demo’ing software or trying out a “proof of concept” from multiple vendors for each area (Provisioning, SSO, Access Control, Governance, etc.) of the IAM continuum came through the exercise very tired, very bruised and very wary of starting again.

Over the years, the apps that were chosen were sometimes updated (by the customer – they were frequently updated by the vendor) whenever doing so wouldn’t break the intricate relationship with the rest of your IAM services. Sometimes – when a vendor was acquired – the app you were using would simply disappear from the market to be, perhaps, replaced by something similar (or not) depending on the whims of the new vendor.

What it all means is that those of you who should be commended for being the early adopters in the IAM space are, essentially, stuck with a cobbled together system which in many of its facets is no longer supported by its vendor, or may not even have a vendor to support it any longer.

Others of you, of course, would have spent an inordinate amount of time replacing parts of the system as mergers and acquisitions occurred. So you may have started out with Business Layers’ eProvisionware as a provisioning app. When that company was acquired by Netegrity, you might have switched your provisioning services to the leader at that time, Waveset. Waveset which, less than a year later, was acquired by Sun Microsystems. Still, you might have stayed with the people you know and, gradually, installed Sun Identity Manager. Which has now been acquired by Oracle.

Another possibility is that you, early on, went with Oblix for provisioning. Until they were acquired by Oracle early in 2005. Well, you quickly switched to the then highly recommended independent provisioning vendor – Thor Technologies. Which was acquired by Oracle!

Where does it all end? Will Larry Ellison eventually acquire everyone in the IdM space? Probably not, at least not as long as there are other major players. But what does it mean for you?

Two points I want to make up front:

  • What was “Best of Breed” a few years ago may no longer be;
  • Choosing “Best of Breed” today may be a security nightmare.
Yesterday’s “Best of Breed” was probably a stand-alone application from a vendor who was committed to a particular IAM niche. For example, PassLogix was long thought the Best of Breed Enterprise Simplified Signon (ESSO) solution. When that company was acquired 18 months ago, though (by, you might have guessed, Oracle) others who were using the product began to scramble to find a replacement – it was no longer feasible to add Passlogix’ V-Go ESSO to the other multi-vendor IAM apps you were using.

But the whole idea of a Best of Breed IAM stack from multiple vendors needs to be re-thought. The Best of Breed IAM stack was never seamlessly integrated. Scripts, publicly available protocols, data conversion hubs and some manual tweaking always seemed to be needed to insure that everything worked together. And it almost did work together. At the best of times it was probably 95% successful. But that 5% was the camel’s nose in the IAM tent.

That 5% “seam” – which for most installations was closer to 10% or 15% - is the area that hackers, crackers and other malcontents can exploit for their nefarious purposes. That’s where the security loopholes appear,Which can sometimes end up being close to 80% of your project cost, not the 5, 10 or 15% it should be.

So if your current Best of Breed solution is insecure and too complex, and if there’s really no way to improve its security by adding updates, upgrades or other potential Best of Breed applications, what should you do?

It’s time to move up a level. Rather than “Best of Breed” applications, it’s time to look at “Best Fit” suites.

You might think that with all the mergers and acquisitions of the past ten years that provisioning applications, in particular, would be offered by only a handful of vendors, but you would be wrong. Here’s a list of almost two dozen vendors offering provisioning solutions from very basic to extremely complex.

Atos (Siemens) Avatier
Beta Systems BMC Software
CA Technologies Courion
Evidian Fischer International
Fox Technologies Hitachi ID Systems
IBM Tivoli Ilex
Institute for Systemmanagement Lighthouse Security Group
Microsoft NetIQ Novell
Omada OpenIAM
Oracle Quest Software
SailPoint SAP
Most offer that provisioning as one of a number of modules of a suite of IAM applications and services. In almost 100% of the cases, any IAM disciplines that the vendor hasn’t created in-house (or through acquisition) are offered from closely tied partners with assurances of relatively seamless connectivity, connectivity which you couldn’t hope to match by picking apps and services from a laundry list of vendors.

You might think that, since you’re picking a full-blown suite, this makes your job easier – the vendor has done the work of matching up and integrating the various parts. You would, of course, be wrong.

More than ever you will need to be extremely diligent in doing your homework, first by determining your organization’s needs and then by weighing each of the vendors’ offerings to see which is the best fit for you.

It’s not enough to take the suite with the most modules, even. More than likely it will include services you don’t want, don’t need or, perhaps, can’t legally run (think about privacy regulations, for example). But you will still pay for all of those modules, whether or not you use them.

You certainly don’t want to automatically take the best seller or the one that’s most popular with the critics and analysts – while those will be good choices, they’re not necessarily the best choice for your organization in its present (or future) circumstances.

So, how will you find the right suite for you, the one that will replace the hodge-podge of services or the orphaned apps that you are currently using? Let me offer one methodology.

In their book, The Innovator's DNA: Mastering the Five Skills of Disruptive Innovators [Harvard Business Review Books], Jeff Dyer, Hal Gregersen, and Clayton M. Christensen present a study of successful innovators (e.g., Steve Jobs) and attempt to distill the habits which served them well in creating disruption and success. If you’re going to be successful at disrupting your IAM structure and innovating a new, secure IAM environment then you might want to consider these skills.

The five skills that should be mastered are: associating, questioning, observing, networking, and experimenting. What do they mean? The authors explain:

Associating refers to your ability to make connections across seemingly unrelated questions, problems, fields of study, or ideas. Associational thinkers draw on knowledge acquired through questioning, observing, experimenting and networking to link together unexpected combinations of problems, ideas and observations to produce new business ideas.

Questioning reflects your passion for inquiry (measured through the frequency and types of questions you ask) to find new insights, connections, possibilities, and directions. Active, honest questioning of the status quo provides a powerful tool for opening up new opportunities and uncovering new business ideas and directions.

Observing refers to your propensity to intensely observe (not just visually) the world around you on a regular basis -- such as customers, products, services, and technologies -- and through observation gain insights and ideas about new ways of doing things.

Experimenting refers to the frequency with which you explore with an experimental mindset, visiting new places, trying new things, seeking new information, and experimenting to learn new things. Experimenters constantly explore the world intellectually and experientially, holding convictions at bay, testing hypotheses along the way.

Networking refers to finding and testing ideas with a network of individuals who are diverse in both background and perspective. Networkers actively search for new ideas by talking to people who may offer a radically different perspective.

So, how does this apply to you, starting out to revise, revitalize and revamp your IAM infrastructure?

You’ve already begun if you’re Questioning your current IAM installation. Network with others in your organization, across all departments and functions from the top to the bottom. Discover what they like and don’t like about your current IAM stack and what related features and tools they would like to have to enable them to get their job done more easily, efficiently and effectively. Follow that up by Observing what is being offered by vendors in their suites of IAM services and which are applicable to your situation – and the wants and needs of your users. Once you’ve determined a short list of possible IAM suites, begin to Experiment with them. Set up test beds and see if the suites perform as their vendors imply. See if your users would be comfortable using these new tools and functions. Then Observe and Question your findings and revise your Experiments accordingly. Finally, Associate all of your findings, conversations, observations and experiments and make your choice.

It’s not a short process, nor is it an easy one. But the piano-wire-and-chewing-gum nature of your current IAM installation is going to come unraveled. And probably sooner rather than later. Get started now.


To find out what’s new in IAM, join me along with representatives from Courion, Oracle and Atos for a look at “Best Practice Driven Identity & Access Management,” Tuesday, February 21 at 11:00 AM EST (17:00 CET/8:00 AM PST). Register here.