Thursday, November 27, 2008

And the iPod touch goes to

Remember my Managed Identity Services Survey and how the good folks at Identropy offered an iPod touch as an incentive to participate? It's taken some time thanks to various emails falling into spam folders and/or not getting through email filters but we finally got it sorted.

The recipient of the iPod touch has been announced over on Ash Motiwala's blog. Congratulations Niall!

Special thanks to Ash and Identropy for the prize. Also, thanks to Matt Flynn for helping us out with the logistics around selecting the winner and ensuring it was completely random (if anyone feels like they need to know the boring details around how it was done, contact me using the form on my blog).

Tuesday, November 25, 2008

Signs your Identity Management project is in trouble

While I'm at it, here's another Top 10 list (Letterman style). I should point out that I'm not being serious this time...well, not really.

Of course, like Letterman's top 10 lists, it's a bit of a hit and miss affair. That is, sometimes the lists aren't funny at all (cringe-worthy even). Anyway, here goes...

Top 10 signs your Identity Management project is in trouble:

10. Each time you ask which systems need to be part of the Federation project, the person in charge says that the Borgs from Microsoft land and the Romulans from (insert random vendor here) are going to take some convincing.

9. The executive sponsor for your project actually carries a toy light saber to your meetings in case they need to "unleash the force" on the team (see my previous post for this reference to make sense).

8. The answer to every problem seems to be "why don't we use that darned Meta-Directory synchronisation thingamajiggy"?

7. The company implementing your project replaces their whole team and you don't notice for a week (note: this might actually happen if you go with a large multinational consulting company).

6. You ring the sales guy who sold you the software and his voice mail says he's on indefinite leave in the Bahamas.

5. You try the vendor's support number and it says they're in the Bahamas with the sales guy.

4. The help desk asks if you would like your head to be provisioned up where the sun don't shine when you call to say you can't reset your password.

3. When you click on the "I forgot my password" link, you're presented with a screen that says "Go look in the configuration file for the master password and reset your own damn password".

2. Your vendor says there will be a delay on the media (DVDs/CDs) because the police raided the warehouse yesterday and it'll take them time to burn you a new set in the "back shed".

And the number 1 sign that your Identity Management project is in trouble is...

You actually believed that everything you saw in the product demonstration would work in your environment without customisation.

*Bada Boom*

Identity Management Top 10 List

Ash Motiwala threw out some one-liners that relate to Identity Management projects in general. Jeff Bohren added a few of his own as did Mike Conklin. Ash decided it would be fun to "tag" a few others (yours truly included) and ask us to contribute a few of our own.

Here's a few from me in Letterman top 10 list style (note: I realise some of these are longer than "snappy one-liners" if you include the explanations but I figured it was better being clear than leaving everyone scratching their heads):

10. Exec can haz light saber
If you don't get business buy-in and an executive sponsor (with a big light saber they can pull out when required), the chances that your Identity Management project will succeed are significantly reduced (note: this one's true of most IT projects, but it's especially important in this context because Identity Management projects typically touch every single department).

9. An internal a** needs to be on the line
An internal person needs to own the project and be accountable. Don't pretend everything will be fine by assuming the vendor and service provider know how your business processes work.

8. Big bang will blow up
Take a phased approach to Identity Management, not a "big bang" one.

7. Go for the quick visible win first
Solutions that visibly improve the end user experience will go a long way towards the project being viewed as a success (note: this is actually the way the single sign-on products are typically sold, but it can apply to other types of Identity Management solutions as well).

6. The vendor should catch any S*** splattered from the fan
The core Identity Management technologies are largely commoditised. Pick a vendor that will stick around when the S*** hits the fan, not the one with the shiniest new toy.

5. "The grad got hit by a bus? No problem, here's another one we hired last week" is not the right answer
Pick an implementation partner with real expertise, not one that knows how to hire a shed-load of University graduates and send them on product training before promptly rolling them onto your project and charging them out at a rate that is 10 times the amount they actually get paid (I'm looking at you Accenture, Deloitte, IBM GBS et al).

4. Entitlement Management is not a new concept
It's just a fancy-schmancy name for fine-grained access management, which has been around for years. People are just getting around to worrying about fine-grained stuff because they've already implemented some sort of web access management product.

3. You probably don't need the whole suite of products
If the sales person tells you that you do and can't explain why, boot their a** out the door. Of course, quite often they'll give you a larger discount for buying the whole lot up front so you'll need to decide if it's worth the money potentially ending up with a bunch of shelf-ware.

2. RFPs are a waste of time that won't die
They are a necessary evil that some large organisations need to go through, but vendors fill them in by doing copious amount of copying and pasting and the evaluation teams select a shortlist by counting the number of "comply" responses. Why? Because Identity Management projects that need RFPs are too complex to evaluate using a tender process.

1. If you think the software's expensive, wait until you get the bill for the services!
This isn't always true, but unfortunately it's all too common. In short, pick your implementation provider carefully and keep a tight leash on the scope and milestones.

Monday, November 17, 2008

CA sprints towards 2009

Oracle acquired Bridgestream (I wrote about this here). Then Sun acquired VAAU. Now CA's acquired the last remaining high profile role management player, Eurekify.

First of all, congratulations to founder Ron Rymon (he's the only person from Eurekify I've actually met) and the team. As I said to Ron earlier this week, it makes a lot of sense and I think it's a good fit.

I've written about CA's moves in the past and also mentioned the CA-Eurekify partnership in passing. It looks like they're keeping the momentum up and making a lot of headway towards competing with the other leaders in the Identity and Access Management marketplace.

I don't think the Eurekify acquisition is going to change the landscape too much mainly because of the existing partnership. The initial benefit is going to be that their sales reps probably get paid more commission for selling "CA Role Manager" or whatever they call the Eurekify product. In the longer term however, they're obviously going to have to integrate Eurekify's products into the CA stack so there's eventually going to be the "out of the box" integration benefits. Of course, the main benefit to CA as a company is in being able to market the fact they are now a serious role management player (along with Oracle and Sun).

The Eurekify acquisition also plays very nicely into CA's move towards being a strong GRC player. Eurekify's product set does include some GRC components geared towards identity compliance with an obvious focus on roles. CA's existing GRC Manager lacks some of the features around the identity-centric compliance niche that SailPoint and Aveksa play in but I'd be very surprised if CA doesn't fill the gaps using Eurikify's technology given that Sun just released their Identity Compliance Manager (which I believe was based on VAAU technology - all you Sun bloggers can correct me if I'm wrong about this) product and the fact that Oracle has something along these lines on the roadmap (according to Amit Jasuja when I spoke to him).

CA compounded their GRC march this weekend at CA World by announcing a Software as a Service (SaaS) version of their GRC Manager product, dubbed GRC Manager On Demand. This makes them the first large Identity and Access Management software vendor (the others being IBM, Sun, Oracle and Novell) to release a SaaS offering. I'm unsure how well it's going to sell given the results of my Managed Identity Services survey but what it does show is intent on CA's part to get serious about competing and getting ahead.

Oracle, Sun and CA have been very active of late. IBM and Novell have not. In fact, they have been VERY quiet. IBM will actually be releasing a new Entitlement Management product later this year but that's a little ho hum as I've already said. I have a feeling something is brewing because IBM and Novell cannot afford to sit around and watch everyone else get waaaay ahead. Novell's Access Governance Suite is an OEM of Aveksa's software. In other words, if Novell acquires someone in the role management/identity compliance area, my money's on Aveksa. This leaves IBM and SailPoint as the remaining pair. Watch this space.

Sunday, November 16, 2008

Is Centrify DirectAuthorize one of a kind?

I'm sure many of you read Dave Kearn's NetworkWorld Identity Management Newsletter. I certainly do and noticed something buried near the end of his most recent edition regarding Centrify's DirectAuthorize product:
"The new product centrally manages and enforces role-based entitlements for fine grained control of user access and privileges on Unix and Linux systems. If your organization has a mix of operating systems you need a product like this. And the “jungle drums” (Tom – Tom, get it? OK, you can groan now) assure me that this is the only product “like this”."

The "only product like this" comment jumped out at me because I'm wondering what Centrify actually means. If they are implying that it is the only product on the market that does fine-grained access management for Unix and Linux systems and is hooked into some sort of centralised Identity Management infrastructure, they need to do a bit more research because I can point to at least 2 products that can do the same thing:

If on the other hand, they simply mean that they have a nicer interface that is easier to use and tighter coupling with Active Directory then they have a very good point.

A blog post where I mention IBM and don't take some sort of "pot shot" at them would be incomplete. So I'll say this: If IBM ever decides to design user interfaces where the user doesn't scream "owwww my eyes" when they look at it, they might actually sell more software.

Update: Dave's left a comment in response to this post that clarifies things slightly. I'm still not 100% sure what "like this" means. However, I'm sure someone from Centrify could explain it in detail and sing about the benefits around how DirectAuthorize does whatever "like this" means.