Blog

Still unsolved: The relationship between IAM, SOA, and BSM

Feb 29, 2008
Martin Kuppinger

In a, may be, simplistic view on IT there are three important pillars on the IT infrastructure level. Using the - sometimes improper - buzzwords, these are

  • Identity (and Access) Management (IAM)
  • SOA - in fact more the technologies for business processes and flexible applications, e.g. including BPM (Business Process Management)
  • BSM (Business Service Management), or ITSM (IT Service Management), or BTO (Business Technology Optimization), or however you will name what has been systems management and now, with a new layer on top, is something "entirely new". I would say it claims to be something new but the layer on top is far from being mature.
You might claim that the Enterprise Systems are missing in that list. Yes, they are missing. No, they are in, because SOA or BPM are the way to use these systems in the future - have a look on the strategies of SAP with NetWeaver or Oracle with Fusion.

If you look on these systems as pillars then they are somewhat the "infrastructure foundation" of IT. On the other hand, they have a link on the upper level which is GRC (Governance, Risk Management, Compliance). GRC is based on information from the system level, on things like BAM (Business Activity Monitoring) as an output of what is happening on the ESB (Enterprise Service Bus, a part of the SOA/BPM piece), and on all these identity- and security-related events ("who has done what when and who has allowed this") from IAM.

This view is somewhat familiar and explains why companies are heavily investing in these areas of IT. You need all of them. And, by the way, as a vendor you have to be either best-of-breed in one of these areas with a good support of integration or you should support all areas - where I would say that IBM today is the only one in the market.

But the question I'd like to discuss today is another one: What is the relationship between IAM, SOA, and BSM, to use these abbreviations? And what is the state of integration between the different areas? With three areas, there are as well three relations:

  • BSM to IAM: Identity Services might be managed as IT services or, sometimes in the future, as real business services. On the other hand, services are managed and used in the context of identities (users, roles,...). For accounting purposes, for security purposes, for planning purposes and so on it is inevitable to support identities in BSM. Thus, it is a bidirectional dependency.
  • BSM to SOA: First of all, you have to distinguish "service" from "service". The BSM service (which is, like mentioned above, no business but an IT service today) is an abstract description of something IT delivers. It can be managed according ITIL (IT Infrastructure Library), it can be tracked by SLAs (Service Level Agreements). The SOA service is something which can be used in applications, a web service or something like this. If you look on the ITIL approach and the BSM ideas these could be easily used for these SOA/application services as well. But only very few, specialized vendors are doing that today. Besides this, the complexity of IT and the need for things like ITIL is increasing due to service-based applications which are spread not only amongst several servers, but amongst several companies which provide services.
  • IAM to SOA:  There is a clear relationship as well. How do you provide end-to-end-security in a SOA world? Identity Federation is the obvious answer. On the other hand, IAM might benefit from SOA ideas, for example in using ESBs as a transport instead of reinventing the wheel. By the way: This relationship will be an important topic at our European Identity Conference.
Thus, we have obvious, important relationships between the different parts of IT infrastructure. But we observe only very few approaches from vendors to really address this. Most obviuos, we find a growing understanding for IAM in the SOA world, especially at the level of vendors of ESBs and application infrastructures. The acquisitions of SAP and Oracle in the IAM field prove this.

On the other hand, not every BSM vendor has understood the relationship neither to SOA nor to IAM (look at HP, regarding the latter). But, honestly, I don't expect that we will see the one who provides everything out-of-the-box. Even SAP and Oracle aren't really into the BSM field. The result would be a huge monster application, much more complex than everything we've seen before. Unmanageable and with the best chances for failing projects.

It is more about

  1. understanding the relationships
  2. defining interfaces
  3. supporting this in the applications in the different areas
I'm convinced that the best approach is to define an own strategy, to select manageable tools (which means that for example some of the BSM approaches shall be avoided because they are nothing else than a even more complex reincarnation of yesterdays Enterprise System Management frameworks) and to enhance the own IT infrastructure according to the relationship between these areas. Understanding the dependencies is, from my point of view, the most important factor for successful IT strategies.

Latest posts by Martin Kuppinger
Passwordless Authentication 101
Enhancing Zero Trust in a ServiceNow Environment
Thales Acquires OneWelcome: Beyond CIAM
The Changing Market for Access Control & Risk Management for Business Applications