I've done several webinars around changing architectures for Identity Provisioning and Access Governance during the last few months. And new architectural approaches for Provisioning have been an important topic at the EIC for years. I've also written a report on Access Governance architectures recently. That is no surprise. Provisioning has to integrate with IT Service Management in some way. It has to support the standard systems where automation is key as well as other systems which either don't support automation interfaces (unfortunately there are several apps out there which don't provide integration points, including several important healthcare apps) or where automation is too expensive. Thus, it is not only about connectors. It is about a flexible support for different approaches, from manual workflows to full bi-directional automation.

For the core systems, it definitely makes sense to automate. Many transactions, high risks - these are reasons to invest in direct connectors. But there are many other systems out there which need to be connected as well. Even while there aren't that many standard interfaces (Web Services, Command Line Interfaces, JDBC/ODBC, LDAP,...) which are commonly used to interact with target systems, the customization and integration is costly anyhow. "Connector fabrics" and other approaches help, but typically organizations end up with some systems which are tightly connected and others which aren't.

There are many approaches to integrate these systems. There might be specific provisioning tools (FIM/ILM, Quest ARS, and others for Active Directory; SAP NW IDM for SAP;...) in place which can be integrated with other provisioning systems. There might be existing processes based on SRM (Service Request Management) tools. There might be the need for additional manual workflows and some access governance to track whether the manual actions have been performed or not.

With other words: Flexibility is key. Flexibility for architectures, where Identity Provisioning and Access Governance tools are just one element - there might be more than one Provisioning tool, there might be SRM, existing workflows, the integration of Provisioning and Access Governance, interfaces to Enterprise Portals, and so on. And flexibility for connections to systems, by not only relying on automation.

Interestingly, I had some briefings in the last few weeks where vendors - like Courion and Aveksa - highlighted new capabilities which are exactly targeted on this. There are other vendors which started with that before. However, it seems to become a major trend right now - open, flexible architectures for Provisioning and Access Governance. For customers, that means that they have to think a little more about the adequate architecture. On the other hand, that might save them significantly more money by choosing an approach which really fits to what they have.

Hope to see you at EIC 2010 in Munich, May 4th to 7th, 2010.