Wednesday, July 04, 2007

Managed Identity Services are a hard sell

I came across an announcement today where Wipro and Oracle have apparently partnered to offer customers Managed Identity Services and found it a rather curious move to make on Oracle's part. The only question I have for them is...why?!

I can understand Wipro wanting to explore the opportunities in Identity Management (IDM) outsourcing (they're an Indian company and are trying to get into IDM with a vengeance so it seems a logical move on their part), but Oracle doesn't need something like this. Why? Because they'll fail. The market is not ready for outsourced IDM and may never be. Most are still busy trying to work out their internal processes. Even the companies that have IDM software solutions are still working the kinks out of their processes.

The concept of outsourcing IDM has been around for a while. Access360 (now IBM Tivoli Identity Manager) explored the concept by designing their Enrole product to support the potential that someone might want to outsource their IDM. This feature got quietly thrown out not long after IBM acquired Access360. The reason (I'm guessing) is because there wasn't enough market demand for such a feature.

Think about it. If you outsource your IDM, you're outsourcing the keys to your kingdom. It's akin to giving someone the keys to your front door and asking them to decide who to let in and what they can do in your house. Are they really going to understand that the vase you have on the coffee table is an antique from the Ming dynasty and should under no circumstances be touched and that no kid under the age of 13 should go within 2 metres of it? You really have to trust your outsourcing provider not to screw things up because your business operations rely on the IDM infrastructure being there and functioning properly. Imagine if all of a sudden no one could change passwords or the authentication and access control mechanisms weren't working? Business would just stop.

What about the security implications and risks? Taking the house analogy further, outsourcing your IDM is like giving someone your keys and an inventory of all the things in your house and everything about what can be done to those things. This inventory will also contain the details of every inhabitant within your house or that has a right to visit your house. The keys and this inventory with all this private, sensitive information is now sitting in someone else's place. Sure they tell you it's "locked in a safe" which you've never actually seen and have no actual control over who can get to this safe. What assurances do you have that they have the right security measures in place to protect this safe? Or that they have the adequate screening processes to ensure that people that can get into this safe are trustworthy and will not compromise your keys and inventory? These security risks should be enough for an organisation to say "thanks but no thanks."

But if for some insane reason these risks are not compelling enough to say no, let's explore the other issues...

Take into account the experiences most people have in outsourced IT environments and it's not a pretty picture. I've been in enough outsourced accounts to know (and not just ones managed by IBM) that customers tend to be bitter about the outsourcing provider and cannot wait until the day the contract re-negotiations are due so they can throw them out of the account. In fact, I know of a few ex-customers of mine back in Australia that have done just that (some are big financial institutions so the size of the contracts are going to make a dent in someone's ledger). You throw in giving an outsourcing provider the responsibility to manage your IDM processes and infrastructure and it gets a whole lot more complicated.

Outsourcing IT operations is just that. You let someone else worry about where to put those Unix servers and how to connect those cables. You just need to know that there is a server room full of Unix servers that are guaranteed to be up 99.9999999% of the time and they run your business applications which just need to keep running (yes I'm over-simplifying, but you get what I mean). When you outsource a critical function like IDM, you are outsourcing a whole bunch of business processes that are very specific to your organisation and throwing into the mix a whole bunch of IT management issues. Add to that the political and cultural issues prevalent in all IDM projects (most will say this is the hardest part) and you've got a heck of a problem.

Yes people outsource business processes, but they are usually very standard, mature business functions like Payroll or HR. These don't get thrown into the IT management mix. IDM is like taking HR functions, "one-of-a-kind" custom business processes, all your people and all your IT systems and throwing these together into a mixing bowl and hoping you get a nice cake out of it. It usually takes a few attempts before you can even get a simple sponge cake. The first few attempts usually result in some inedible mess of a cake that you give to the dog to eat while you go try again. Problem with IDM is that there is no dog. You have to eat it yourself while trying to figure out why you've got dog food.

All the variables make IDM outsourcing destined to fail (for now). There are too many moving parts. Business processes are too specific to your organisation (e.g. every bank has different processes for the same thing). You're kidding yourself if you think you can make it someone else's problem just by outsourcing it. IDM will never be someone else's problem. It is always your own problem because you're managing YOUR users using YOUR business processes.

Wipro may be on to something because there's definitely a business opportunity for those not put off by the security risks. Who wouldn't want to make their IDM problems someone else's? But until the whole market works on standards and the solutions are commoditised, IDM outsourcing is just too difficult and is destined for failure.

Until IDM can be defined end-to-end as a set of standardised services from IT all they way through to business processes, you can't outsource your IDM with any level of confidence that it'll all hang together. Standardisation is only beginning with things like XACML, SAML, SPML, OpenID etc. But you can't escape the fact that these are technology focused standards. Real life use cases are not about technology.

When the day comes where all the underlying standards to support an IDM SOA infrastructure are there (and we're still working out the whole picture here), then we can start to get somewhere. And even then it'll still be difficult to make IDM someone else's problem. Sure, someone can probably host the stuff for you, but the business process issues are still going to be yours and you'll still need the technologists around to facilitate everything. The day when you can comfortably outsource all your IDM functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.


Anonymous said...

What are your thoughts around an on-premise managed model? the managed service provider can make proactively ensure that the apps are up and running, that workflows are working right, and can even resolve problems for you - but its hosted in the client environment. this compromise would be of value, especially if the provider knows the software very well. thoughts?

Ian said...

This would only work if the service provider was not given the "keys". In other words, they should only be given enough access to run the environment from an operational perspective and to perform configuration changes in a tightly controlled manner with full visibility from the organisation.

The organisation should still call the shots. Most importantly, the organisation should have a dedicated project manager and lead technical security analyst assigned full time to the environment and have full visibility of what is going on. They should be the ones making the decisions so they can own the successes and more importantly also own the problems.

What I'm essentially getting at is that this can only work if the organisation owns the complete solution. The minute they have the mentality that it is a "no worries" environment that is a "black box" and hand all of it over to be managed by an outsourcing provider, that is the beginning of the end. It'll fall into a heap eventually. I've seen this happen many times in many IT environments (as I'm sure we all have) and this is even more crucial when we're talking about identity and access management because it "touches" EVERYTHING. Identity and access management deployments are also one of the more complex, moving parts within an IT infrastructure. The threshold for failure is much lower because any problem potentially affects the whole organisation and can have a real financial business impact resulting in a loss of dollars.

Anonymous said...

Altimately, the level of security one intends to achieve would depend on the amount of money one is willing to spend. Some would rest on this judgment alone to give an IdM provider the keys to their gates. I am sitting in chair just like that right now. Security is business driven.

Anonymous said...

Hi Ian,
Amazing how the past year changed the business environment, especially in IT in light of the GEC.

There appear to be two concepts emerging that may come to dominate IDM - SaaS and 'The Cloud'. IDM projects are notoriously onerous, costly and mission critical. With the advantages of Software as a Service and the generic cloud, business attitudes and appetite for outsourced IdM would appear to be reaching critical mass. Especially with all the major vendors pushing their so called cloud and have already assumed the SaaS model for many of the outsourced IdM contracts.
So the question seems to no longer be 'can IdM be outsourced', it’s now just a question of when and who?

Dave Wicks