In a, may be, simplistic view on IT there are three important pillars on the IT infrastructure level. Using the - sometimes improper - buzzwords, these are
- Identity (and Access) Management (IAM)
- SOA - in fact more the technologies for business processes and flexible applications, e.g. including BPM (Business Process Management)
- BSM (Business Service Management), or ITSM (IT Service Management), or BTO (Business Technology Optimization), or however you will name what has been systems management and now, with a new layer on top, is something "entirely new". I would say it claims to be something new but the layer on top is far from being mature.
If you look on these systems as pillars then they are somewhat the "infrastructure foundation" of IT. On the other hand, they have a link on the upper level which is GRC (Governance, Risk Management, Compliance). GRC is based on information from the system level, on things like BAM (Business Activity Monitoring) as an output of what is happening on the ESB (Enterprise Service Bus, a part of the SOA/BPM piece), and on all these identity- and security-related events ("who has done what when and who has allowed this") from IAM.
This view is somewhat familiar and explains why companies are heavily investing in these areas of IT. You need all of them. And, by the way, as a vendor you have to be either best-of-breed in one of these areas with a good support of integration or you should support all areas - where I would say that IBM today is the only one in the market.
But the question I'd like to discuss today is another one: What is the relationship between IAM, SOA, and BSM, to use these abbreviations? And what is the state of integration between the different areas? With three areas, there are as well three relations:
- BSM to IAM: Identity Services might be managed as IT services or, sometimes in the future, as real business services. On the other hand, services are managed and used in the context of identities (users, roles,...). For accounting purposes, for security purposes, for planning purposes and so on it is inevitable to support identities in BSM. Thus, it is a bidirectional dependency.
- BSM to SOA: First of all, you have to distinguish "service" from "service". The BSM service (which is, like mentioned above, no business but an IT service today) is an abstract description of something IT delivers. It can be managed according ITIL (IT Infrastructure Library), it can be tracked by SLAs (Service Level Agreements). The SOA service is something which can be used in applications, a web service or something like this. If you look on the ITIL approach and the BSM ideas these could be easily used for these SOA/application services as well. But only very few, specialized vendors are doing that today. Besides this, the complexity of IT and the need for things like ITIL is increasing due to service-based applications which are spread not only amongst several servers, but amongst several companies which provide services.
- IAM to SOA: There is a clear relationship as well. How do you provide end-to-end-security in a SOA world? Identity Federation is the obvious answer. On the other hand, IAM might benefit from SOA ideas, for example in using ESBs as a transport instead of reinventing the wheel. By the way: This relationship will be an important topic at our European Identity Conference.
On the other hand, not every BSM vendor has understood the relationship neither to SOA nor to IAM (look at HP, regarding the latter). But, honestly, I don't expect that we will see the one who provides everything out-of-the-box. Even SAP and Oracle aren't really into the BSM field. The result would be a huge monster application, much more complex than everything we've seen before. Unmanageable and with the best chances for failing projects.
It is more about
- understanding the relationships
- defining interfaces
- supporting this in the applications in the different areas