My colleague Felix Gaehtgens recently has blogged about his discussion with Tom Bishop, CTO at BMC, about the BMC strategy for IAM. His findings are very consistent with the blog of Tom Bishop which was published some weeks later and appears to be some indirect response to Felix.

It is obvious that many BMC customers are insecure about BMC's strategy for IAM. There have been several changes, as well in BMC's organization as in the way BMC is adressing this market. BMC has moved the development of the IAM functionality to India, where they are developing as well other major parts of their products. Some people from the IAM team - as well from the product as the sales/marketing side - in North America and EMEA have left BMC, including Jeff Bohren, one of the guys behind SPML. Even while BMC states that there are more people involved in IAM activities than before, there are some still some open questions left.

BMC's explanation on this is that they have been re-focusing their IAM strategy, positioning IAM as part of their BSM strategy. Within this, they are focusing on access (control) and provisioning. With other words: Topics like Web Access Management, Identity Federation, Virtual Directory Services and so on aren't in the scope of BMC any more. BMC doesn't see, to quote on this, "a necessity for diving deeper into this".

Thus, there will be a successor to Control-SA which will be part of the BSM offering, while still being sold separately. There is a clear statement that for features beyond the core provisioning the full BSM platform of BMC will be required in the future. BMC is focusing on the integration of IAM in that platform. Thus, the admin console's interface is re-written and standard functionalities will be provided more and more by the BSM platform. There will be several enhancements in the next release, especially around user self-services which fits in this picture with IAM built around the service desk.

Without telling everything which will be in our upcoming vendor report on BMC (with IAM focus, an overall vendor report following later this year) there are some obviuos strengths as well as shortcomings with this approach.

Like Felix has pointed out, BMC won't become a full service vendor in the IAM market. The optimal use of BMC's IAM offerings will require the full BSM platform with the CMDB, service desk and so on. Persons, roles, and entitlements will be managed starting at the CMDB level. However, BMC seems to be not fully convinced of this strategy - they've mentioned that they are still looking on how customers are accepting this. Control-SA customers can use the basic features but there will be a new layer on top for managing processes. So even while BMC claims that provisioning can be used without other features (of additional BMC products) that will be a pretty limited form of provisioning, especially when comparing it with the features offered by leading provisioning products in the market which go well beyond core provisioning.

On the other hand BMC is still investing in it's IAM products - that's the good news. BMC seems to be even more interested and active in IAM than before. And there are obviuos advantages of integrating IAM with BSM. A huge number of Service Desk tickets is IAM related, around passwords, user and access management.

But first of all, BSM (Business Service Management) is not only a CMDB and a Service Desk but a concept which goes well beyond this.

And even when you follow BMC's arguments: There are not only internal users. How about the partners and the customers? How do they fit into this picture? Especially, when federation is not on the list of topics. I don't know the answer. Interestingly I had a discussion with several CISOs of leading European companies and one of the biggest threats they are facing is around the on- and off-boarding of companies (partners, acquisitions,...) as well as persons.

Besides this, I believe in a model where IAM is more sort a parallel pillar of the entire IT strategy and environment to BSM than a subset of BSM - while Service Desks and CMDBs are a subset of BSM...

My advice is: Have a look on what BMC is doing. They are investing in IAM again - the good news. And, for Remedy and Atrium customers: They will provide integration of IAM into the BSM approach of BMC. On the other hand that implies a growing dependency of IAM features from the BSM infrastructure, something you have to be aware of. And, in any case: Define your BSM strategy as a BSM strategy (and not a CMDB or ITIL or ITSM or Service Desk strategy) before, as well as you should define your IAM strategy with focus on all identities (e.g. also external identities), the new threats of using and managing cloud services, of user-centric approaches and so on. Do it in the context of GRC and SOA security. Than you can decide on which products from which vendor you should use.