Saturday, February 24, 2007

IBM responds to Oracle with Mickey Mouse monitoring tool

Before I start, I should point out that just because I no longer work for IBM does not mean I dislike IBM. I still have a great respect for "Big Blue" and will continue to do so until they do something that radically changes my mind. I say that up front because I'm about to be somewhat critical of them. I've always had my criticisms of the company, but now I can raise them in a public forum (instead of privately discussing them with my colleagues) without fear of having management "give me a stern talking to" I just have to put up with comments from my former colleagues. But a little healthy discussion never hurt anyone.

I am referring to the new monitoring offering from IBM Tivoli, specifically around the Identity and Access Manager products. The monitoring offerings can be found here and here. I'll probably get a little grief about this from those of you I know from IBM. Hey, I'm entitled to my opinion aren't I? Especially as I talked about Oracle's offering earlier this month.

Before I move on, I'll take a little detour and talk about IBM from a marketing standpoint. I used the term "respond" in the title to this post, but I'm not sure that's the case. I was simply referring to what the average person would perceive it as. As far as marketing and image is concerned, perception is the truth. Oracle made their announcement early in February. According to IBM's pages, the monitoring offerings were released mid to late January, which is before Oracle's announcement.

So it looks like it was being developed at the same time as Oracle, unless IBM have managed to trick those of us delving deeper into believing this is the case by listing the release dates in January. I don't know because even internally within IBM, there was no announcement to the greater community until my last week at IBM (week ending February 16)...and I worked for the field sales team whose job it is to sell the software and use announcements like this as "value add selling points". And herein lies the problem with IBM marketing when it comes to Identity and Access Management. If they do such a poor job of communicating this information internally (in a timely manner), how are they to do this effectively to the external audience? This lends itself to a belief I've had for as long as I've worked in this area.

The biggest barrier to sales and building a long term pipeline (even one that the sales people cannot see) and dare I say shortening the sales cycle (apologies for using all these sales "buzzwords") is that IBM is behind the eight ball when it comes to mind share in the Identity and Access Management arena. When it comes to enterprise identity, the press is filled with references to Oracle. When it comes to user centric identity, it's all Microsoft (and occasionally smaller niche players like Sxip and JanRain). Lately, even Symantec's getting into the act.

It never used to surprise me when people would look at me with bewilderment when I told them IBM was one of the leading vendors in this space. It still doesn't surprise me. IBM's PR and marketing machine does an extremely piss weak (i.e. very poor) job of talking up its Identity market leadership. It spends too much time harping on about Linux, Open Source, SOA and the services offerings from Global Business Services and Global Technology Services (at least I think that's what they're called now - they keep changing the names and re-organising the business units, and I have first hand experience that confirms how confusing it is even for employees). Even with these headline messages, they send out mixed signals!

Now that I've got that out of the way, back to the topic at hand. I'll be the first to admit that I don't know the deep technical details of what Oracle's offering actually does. I only know what I've read at a high level. At face value, it looks like Oracle's offering does more than IBM's. I won't outline the details because you can go read about it yourselves (unfortunately, the only link I can provide is this one to the announcement - Oracle's site is so crap that I couldn't find any specific information about their monitoring offering for identity management). I linked to IBM's offering earlier in this post but here are the links again if you don't want to scroll (here and here).

The monitoring offering from IBM tracks the following in Tivoli Identity Manager (TIM):
  • Server availability and server process activity
  • memory usage characteristics: heap size before and after garbage collection, max heap size, garbage collection time
  • workflow queue backlog
  • user page response times
  • tablespace usage
  • logged error messages
And the following in Tivoli Access Manager (TAM):
  • Server availability and server process activity
  • WebSEAL statistics
  • Junction statistics
  • response times
  • workload
Here's why I think these features are "Mickey Mouse" in nature. Most customers I know who have implemented TIM and/or TAM and want to monitor the identity infrastructure has had to implement it themselves (because as I have previously said, there was no actual solution provided by IBM for it). How did they do it? Shell scripts that take a day or so to write. Pretty trivial stuff because they just wanted to monitor infrastructure statistics like performance, server load, response times, table space usage etc. But hang on, that looks like what IBM's just provided as the monitoring offering! All IBM have done is hooked it into the IBM Tivoli Monitoring product set via the Tivoli Universal Agent! If I were a customer, I'd still write my own and let my shell script feed the data into the relevant standard monitoring infrastructure within the organisation's environment.

Of course, IBM usually doesn't do things without a few good reasons. In this case, it is possibly for the following reasons:
  • They knew what Oracle was doing and didn't want to be seen as falling behind.
  • IBM customers have been calling out for a monitoring solution to deal with the IBM Identity Suite for over 2 years and they decided to finally address it (in a half hearted sort of way). In other words, the sales team can finally say "yes" without looking guilty when customers ask if there's a monitoring solution for the Tivoli Identity and Access Management suite.
  • It's a good way to up-sell customers who have the Tivoli Identity suite and get them to consider the Tivoli Monitoring suite.
Of course, that's not to say it doesn't have any real benefits. Problem is, I can only see 2:
  • Customers no longer have to write their own shell scripts to do this.
  • IBM services teams and IBM business partners no longer have to write scripts when they deploy the Tivoli Security products to deal with monitoring. Of course, any good services team will have already written the scripts and should just re-use as much of it as possible, so one could argue whether this is a benefit here. It's probably more beneficial for teams who are new at deploying the products.
As for the biggest barriers to adoption:
  • This is useless to me unless I have IBM Tivoli Monitoring.
  • I cannot modify the solution for my own least not easily.
  • Where is the monitoring offering for the underlying identity infrastructure? By that I mean the most important software support component used by TIM and TAM - IBM Tivoli Directory Server (TDS)! TDS is the LDAP component so one could argue that you could go find some open source alternative or find some LDAP monitoring solution out there. This defeats the whole purpose doesn't it? IBM's solution lets you monitor TIM and TAM for "infrastructure things" but doesn't actually let you monitor the core software components supporting the applications. So the answer is to use the new offering for TIM and TAM but go build your own or buy something else to monitor TDS? Sounds rather nonsensical to me. I may be over reacting here because monitoring an LDAP is not difficult. It's common and pretty standard practice. TDS even has a section of the LDAP tree that can be queried for monitoring stats. Problem here is that I've still got to somehow feed that into my monitoring solution. Back to writing scripts I guess! To illustrate this point, let me just point one thing out. TIM and TAM don't work without TDS. Enough said.
  • It only monitors trivial infrastructure metrics. There is nothing that will give me the business context I need, which is often the biggest reason to monitor the security and identity infrastructure.
Here's a few examples of what I mean when I say business context monitoring:
  • Repeated failed authentication attempts.
  • Tracking a user's session to alert of suspicious behaviour.
  • Alerting of requests for access to "sensitive" parts of the environment (systems or additional access to what a user already has).
  • Real time alerts of additional access privileges that do not meet defined security policies (an email to a person hoping they'll see it soon doesn't cut it I'm afraid).
The list is endless...and will be very different for each company, especially when dealing with business processes around auditing and compliance. Don't get me wrong. IBM Tivoli (and possibly even Oracle) has the products in place to address these needs. There just hasn't been a combined solution that solves these issues easily. There's too much services and customisation work involved and not enough "cookie cutter" approaches to make life easier for end users and services teams. And here is where both Oracle and IBM have not addressed a real need.

No comments: