Most software eventually goes the way of commoditisation unless the vendor innovates to the point where it morphs into something different. I won't even mention hardware as this market is largely commoditised and vendors are having to differentiate themselves using "bells and whistles" like performance improvements and aesthetic qualities (e.g. an Apple Mac laptop).
Back to software...
Take the following obvious examples of recent times:
- HTTP web servers
- J2EE application servers
- Relational databases
- LDAP servers
So why did all these examples become commoditised? Not only did they become commoditised, then did it very quickly. There's 2 common threads between all of them:
- They are all essential building blocks for most IT environments.
- They all conform to standards.
So it didn't matter that vendors did not make money from these technologies, as long as it meant they had a seat at the table for future software evaluation activities. In fact, most vendors give their LDAP and web servers away for free, with application servers just trailing behind in the "free stakes". Relational databases aren't explicitly free, but they are usually given away as part of another software offering. Or if someone is willing to go for the SMB option, they could download the open source relational database.
In the Identity and Access Management arena, the LDAP plays a big part. Like I said, this is usually free. Moving up the stack, we get to the meta-directories, synchronisation, provisioning and access control tools. It's been said for quite awhile that the access control solutions around have become commodities. To an extent, that is true. But that's simply what it looks like from the outside. The real reason in my opinion is that IBM Tivoli and CA Netegrity own most of the access control/application reverse proxy market. So if you talk access management, you're probably "standardised" the Tivoli way, or the Netegrity way. I know I'm ignoring RSA Cleartrust, but they have a MUCH smaller market so I'm treating them as a non-factor. In other words, this "commoditisation of access control" is only a perception. I dare say that's not really the case. Can you say "I want an access management solution so I'll do a design and just buy the cheapest product out there and my design will work"? Hell no! You could however, say this if you're talking about an LDAP design or a J2EE design (yes I know there are small differences between each vendor's implementation, but these end up being configuration, deployment/infrastructure and tuning tweaks rather than real business design issues). In other words, access management solutions are not really commoditised. They just seem to be because of the total market domination of IBM and CA in this space. I dare say, it'll be awhile before they truly become commoditised (disclaimer: "awhile" in the IT world is not really that long - I'm just saying this bearing in mind that we're talking within the IT context). XACML will need to be widely adopted and implemented in all access management products before we can say this area is anywhere near being truly commoditised. As for the meta-directories, synchronisation and provisioning tools, it may be awhile longer before we see commoditisation of these things. The next one after access management will probably be provisioning. Why? SPML goes some way towards some sort of standard. Even so, all that does is to give us a standard way to talk to the provisioning endpoints. It does not standardise the provisioning policies, processes, transactions, workflows, roles, delegation, reporting, audit and compliance requirements (and so on) and how they are implemented. ie. all the important business things. So, we have a ways to go here.
Back to my point. The next piece of technology in the Identity space to be commoditised (even before the access management products) will be the Federated products. The reason? Standardisation of the protocols. Yes I know we have a few around today:
All the identity vendors are in the federation game of course (there's also a few niche players out there like Ping Identity.). They can't afford not to be - except this time, they are positioning Services Oriented Architecture (SOA) as the endgame and saying that Federation is the key to security in the SOA world (it is of course key...if we're talking about identity exchange, propogation and trust - but there's more to security than just identity). So starting at the SOA and web services layer to get the "foothold", they are instead working down the stack. With this, vendors can now work at potential customers from both ends of the application stack. For example, if someone buys the application server, the vendor sells software up the stack leveraging the application server. If someone buys the SOA and federated stuff, vendors simple sell down the stack and push the "tight coupling" and "close integration" aspects of the non-commoditised software products.
I dare say, in a year or 2 the federated identity landscape may look like this:
- JBoss application server will support SAML federation natively (JBoss is already working on JBoss Federation SSO using a SAML token. It's all Open Source of course...in the JBoss way).
- BEA WebLogic will follow suit (BEA doesn't have identity products).
- Microsoft will WS-* the hell out of anything and everything and include lots of "CardSpace working with WS-*" examples to "quick start your customer applications".
- Apache Geronimo will have some sort of SAML federation extension.
- Oracle Application Server will ship with Oracle Identity Federation "light".
- WebSphere Application Server will have IBM Tivoli Federated Identity Manager "express" natively installed.